Mailing List Archive: ssh-import-id

ssh-import-id

kirkland at ubuntu

Dec 15, 2010, 10:01 AM

Post #1 of 17 (18334 views)

Howdy,

We in the Ubuntu Server world have been using a handy little shell
utility for a couple of releases now, called 'ssh-import-id' [1].

Whereas ssh-copy-id _pushes_ a public key from one system to another,
ssh-import-id _pulls_ a public key from a secure key server and
installs it.

It takes one or more userid's as command line arguments, loops over
them, sequentially attempts to retrieve public keys from a web api
(using wget or curl), and can write to stdout or to file
(~/.ssh/authorized_keys).

We find this particularly handy in the cloud world, where systems are
started from pristine images every time, and we need to a way to seed
the system with credentials before the first authentication. Here, we
can run something like 'ssh-import-id kirkland' during the boot
process, and my public key will be installed by the time I log in.

It's also really useful when and if you need to grant access to the
system to others, or perhaps start a system in the cloud on behalf of
someone else. Here, we can 'ssh-import-id kirkland smoser cjwatson',
and each of these keys are retrieved and installed.

We're using URL="https://launchpad.net/~%s/+sshkeys", where %s is a
userid, but this URL could really be configurable and point to any
public or private SSH public key server. An SSL connection to a https
site with a valid certificate is, of course, essential to the security
of the key retrieval. If there were a free/public SSH key server like
pgp.mit.edu for PGP/GPG keys, that would probably make a good default
(thought I haven't found anything like this).

Seeing the ssh-copy-id utility in SSH's contrib/ directory, I'm
hopeful you might consider this ssh-import-id tool for the project.
Before we get into reviewing the code, can you tell me if this is
something that would, or would not be interesting to openssh upstream?

--
:-Dustin

Dustin Kirkland
Ubuntu Core Developer
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

Re: ssh-import-id [ In reply to ]

Dec 15, 2010, 10:48 AM

Post #2 of 17 (18172 views)

--On 15 December 2010 12:01:22 -0600 Dustin Kirkland <kirkland@ubuntu.com>
wrote:

> Seeing the ssh-copy-id utility in SSH's contrib/ directory, I'm
> hopeful you might consider this ssh-import-id tool for the project.
> Before we get into reviewing the code, can you tell me if this is
> something that would, or would not be interesting to openssh upstream?

We'd use this if it took a username too, for a similar purpose. Currently
we pull keys out of xml and go through some convoluted perl to add them
to the right authorized_keys file of the right users, set the permissions
and ownerships right, etc., which is pretty fiddly, and not that safe when
someone next changes the desired permissions on authorized_keys, or uses
a different path specified by the config file, or whatever.

--
Alex Bligh
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

Re: ssh-import-id [ In reply to ]

joachim at joachimschipper

Dec 15, 2010, 11:07 AM

Post #3 of 17 (18158 views)

On Wed, Dec 15, 2010 at 12:01:22PM -0600, Dustin Kirkland wrote:
> Howdy,
>
> We in the Ubuntu Server world have been using a handy little shell
> utility for a couple of releases now, called 'ssh-import-id' [1].
>
> Whereas ssh-copy-id _pushes_ a public key from one system to another,
> ssh-import-id _pulls_ a public key from a secure key server and
> installs it.
>
> It takes one or more userid's as command line arguments, loops over
> them, sequentially attempts to retrieve public keys from a web api
> (using wget or curl), and can write to stdout or to file
> (~/.ssh/authorized_keys).
>
> We find this particularly handy in the cloud world, where systems are
> started from pristine images every time, and we need to a way to seed
> the system with credentials before the first authentication. Here, we
> can run something like 'ssh-import-id kirkland' during the boot
> process, and my public key will be installed by the time I log in.
>
> It's also really useful when and if you need to grant access to the
> system to others, or perhaps start a system in the cloud on behalf of
> someone else. Here, we can 'ssh-import-id kirkland smoser cjwatson',
> and each of these keys are retrieved and installed.
>
> We're using URL="https://launchpad.net/~%s/+sshkeys", where %s is a
> userid, but this URL could really be configurable and point to any
> public or private SSH public key server. An SSL connection to a https
> site with a valid certificate is, of course, essential to the security
> of the key retrieval. If there were a free/public SSH key server like
> pgp.mit.edu for PGP/GPG keys, that would probably make a good default
> (thought I haven't found anything like this).
>
> Seeing the ssh-copy-id utility in SSH's contrib/ directory, I'm
> hopeful you might consider this ssh-import-id tool for the project.
> Before we get into reviewing the code, can you tell me if this is
> something that would, or would not be interesting to openssh upstream?

I'm not an OpenSSH developer, but: why not use SSH? Install *one*
server's key, and pull the users' keys over that connection. This seems
to have quite a few less moving parts, avoids a dependency on
wget/libcurl/..., and doesn't crash and burn when another CA signs
something it shouldn't.

Joachim
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

Re: ssh-import-id [ In reply to ]

dkg at fifthhorseman

Dec 15, 2010, 11:27 AM

Post #4 of 17 (18155 views)

On 12/15/2010 01:01 PM, Dustin Kirkland wrote:
> If there were a free/public SSH key server like
> pgp.mit.edu for PGP/GPG keys, that would probably make a good default
> (thought I haven't found anything like this).

You could use monkeysphere [0] on these hosts and use the HKP keyserver
network (what i think you're referring to by pgp.mit.edu, above, though
i recommend *not* using pgp.mit.edu until they fix their keyserver).

If you know that your users' OpenPGP keys are going to all be signed by,
say, your own OpenPGP key which has a fingerprint of $CA_FPR, you could
put something like this in your preseed's late_command :

aptitude install monkeysphere openssh-server
monkeysphere-authentication add-identity-certifier "$CA_FPR"
mkdir ~mary/.monkeysphere
echo 'Mary Example <mary@example.org>' >> \
~mary/.monkeysphere/authorized_user_ids

monkeysphere-authentication update-users
echo 'AuthorizedKeysFile /var/lib/monkeysphere/authorized_keys/%u' \
>> /etc/ssh/sshd_config
/etc/init.d/ssh restart

This also has the advantage that future runs of

monkeysphere-authentication update-users

will cause revoked keys to be disabled without any additional work from
the user.

hope this is useful. i'm one of the monkeysphere developers; feel free
to come ask questions on the project mailing list, or in #monkeysphere
on irc.oftc.net.

Regards,

--dkg

[0] http://web.monkeysphere.info

Re: ssh-import-id [ In reply to ]

kirkland at ubuntu

Dec 15, 2010, 11:37 AM

Post #5 of 17 (18151 views)

On Wed, Dec 15, 2010 at 12:48 PM, Alex Bligh <alex@alex.org.uk> wrote:
> --On 15 December 2010 12:01:22 -0600 Dustin Kirkland <kirkland@ubuntu.com>
> wrote:
>
>> Seeing the ssh-copy-id utility in SSH's contrib/ directory, I'm
>> hopeful you might consider this ssh-import-id tool for the project.
>> Before we get into reviewing the code, can you tell me if this is
>> something that would, or would not be interesting to openssh upstream?
>
> We'd use this if it took a username too, for a similar purpose. Currently
> we pull keys out of xml and go through some convoluted perl to add them
> to the right authorized_keys file of the right users, set the permissions
> and ownerships right, etc., which is pretty fiddly, and not that safe when
> someone next changes the desired permissions on authorized_keys, or uses
> a different path specified by the config file, or whatever.

Hi Alex,

Right now, it works as the current user, on the current user's
~/.ssh/authorized_keys file.

I'd use sudo and su to run ssh-import-id as another user, to operate
on their authorized_keys file.

--
:-Dustin

Dustin Kirkland
Ubuntu Core Developer
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

Re: ssh-import-id [ In reply to ]

kirkland at ubuntu

Dec 15, 2010, 11:44 AM

Post #6 of 17 (18154 views)

On Wed, Dec 15, 2010 at 1:07 PM, Joachim Schipper
<joachim@joachimschipper.nl> wrote:
> On Wed, Dec 15, 2010 at 12:01:22PM -0600, Dustin Kirkland wrote:
>> Howdy,
>>
>> We in the Ubuntu Server world have been using a handy little shell
>> utility for a couple of releases now, called 'ssh-import-id' [1].
>>
>> Whereas ssh-copy-id _pushes_ a public key from one system to another,
>> ssh-import-id _pulls_ a public key from a secure key server and
>> installs it.
>>
>> It takes one or more userid's as command line arguments, loops over
>> them, sequentially attempts to retrieve public keys from a web api
>> (using wget or curl), and can write to stdout or to file
>> (~/.ssh/authorized_keys).
>>
>> We find this particularly handy in the cloud world, where systems are
>> started from pristine images every time, and we need to a way to seed
>> the system with credentials before the first authentication. Here, we
>> can run something like 'ssh-import-id kirkland' during the boot
>> process, and my public key will be installed by the time I log in.
>>
>> It's also really useful when and if you need to grant access to the
>> system to others, or perhaps start a system in the cloud on behalf of
>> someone else. Here, we can 'ssh-import-id kirkland smoser cjwatson',
>> and each of these keys are retrieved and installed.
>>
>> We're using URL="https://launchpad.net/~%s/+sshkeys", where %s is a
>> userid, but this URL could really be configurable and point to any
>> public or private SSH public key server. An SSL connection to a https
>> site with a valid certificate is, of course, essential to the security
>> of the key retrieval. If there were a free/public SSH key server like
>> pgp.mit.edu for PGP/GPG keys, that would probably make a good default
>> (thought I haven't found anything like this).
>>
>> Seeing the ssh-copy-id utility in SSH's contrib/ directory, I'm
>> hopeful you might consider this ssh-import-id tool for the project.
>> Before we get into reviewing the code, can you tell me if this is
>> something that would, or would not be interesting to openssh upstream?
>
> I'm not an OpenSSH developer, but: why not use SSH? Install *one*
> server's key, and pull the users' keys over that connection. This seems
> to have quite a few less moving parts, avoids a dependency on
> wget/libcurl/..., and doesn't crash and burn when another CA signs
> something it shouldn't.

Hi Joachim,

It's a bootstrapping issue. How do you get that "one" server's key there?

If you can retrieve a key securely over https from a trusted server
with a valid SSL certificate, you could put something like this your
unattended boot scripts:
wget -O- https://example.com/~username/pub_ssh_key >>
/home/username/.ssh/authorized_keys

ssh-import-id is a wrapper around that wget above, with better error
handling, key sanitation, etc.

--
:-Dustin

Dustin Kirkland
Ubuntu Core Developer
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

Re: ssh-import-id [ In reply to ]

kirkland at ubuntu

Dec 15, 2010, 11:52 AM

Post #7 of 17 (18166 views)

On Wed, Dec 15, 2010 at 1:27 PM, Daniel Kahn Gillmor
<dkg@fifthhorseman.net> wrote:
> On 12/15/2010 01:01 PM, Dustin Kirkland wrote:
>> If there were a free/public SSH key server like
>> pgp.mit.edu for PGP/GPG keys, that would probably make a good default
>> (thought I haven't found anything like this).
>
> You could use monkeysphere [0] on these hosts and use the HKP keyserver
> network (what i think you're referring to by pgp.mit.edu, above, though
> i recommend *not* using pgp.mit.edu until they fix their keyserver).

Hi Daniel,

Right, I simply meant that I wasn't aware of any HKP keyserver network
specifically for public SSH keys.

> If you know that your users' OpenPGP keys are going to all be signed by,
> say, your own OpenPGP key which has a fingerprint of $CA_FPR, you could
> put something like this in your preseed's late_command :
>
> aptitude install monkeysphere openssh-server
> monkeysphere-authentication add-identity-certifier "$CA_FPR"
> mkdir ~mary/.monkeysphere
> echo 'Mary Example <mary@example.org>' >> \
> ~mary/.monkeysphere/authorized_user_ids
>
> monkeysphere-authentication update-users
> echo 'AuthorizedKeysFile /var/lib/monkeysphere/authorized_keys/%u' \
> >> /etc/ssh/sshd_config
> /etc/init.d/ssh restart
>
> This also has the advantage that future runs of
>
> monkeysphere-authentication update-users
>
> will cause revoked keys to be disabled without any additional work from
> the user.
>
> hope this is useful. i'm one of the monkeysphere developers; feel free
> to come ask questions on the project mailing list, or in #monkeysphere
> on irc.oftc.net.

Thanks for the pointers. I'll give monkeysphere a try.

Still, it's not quite addressing the problem I think ssh-import-id
solves for us -- dead simple, fast, secure retrieval of a public SSH
keys by nothing more than a user name inserted into a URL.

--
:-Dustin

Dustin Kirkland
Ubuntu Core Developer
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

Re: ssh-import-id [ In reply to ]

jrollins at finestructure

Dec 15, 2010, 12:01 PM

Post #8 of 17 (18155 views)

On Wed, 15 Dec 2010 13:52:09 -0600, Dustin Kirkland <kirkland@ubuntu.com> wrote:
> Still, it's not quite addressing the problem I think ssh-import-id
> solves for us -- dead simple, fast, secure retrieval of a public SSH
> keys by nothing more than a user name inserted into a URL.

This is pretty much what monkeysphere-authentication does as well. The
hard part is really not retrieval of the keys, it's how to distribute
them. Using the OpenPGP keyservers leverages a robust PKI that already
exists, rather than reinventing the wheel.

jamie.

Re: ssh-import-id [ In reply to ]

dkg at fifthhorseman

Dec 15, 2010, 12:42 PM

Post #9 of 17 (18151 views)

On 12/15/2010 02:52 PM, Dustin Kirkland wrote:
> Right, I simply meant that I wasn't aware of any HKP keyserver network
> specifically for public SSH keys.

The trouble, as you say, is that you need some sort of cryptographic
authentication that the key really does belong to the person in question.

So you're left with a choice of either:

a) running a single centrally-administered key distribution service (so
you can verify the transport itself), or

b) using a distributed keyserver network that handles material with
cryptographic identity information directly attached (so you can verify
the material that potentially-untrustworthy keyservers give you).

The existing HKP keyserver network already supports SSH keys (ssh host
keys as well as users), making it a reasonable candidate for (b) if
that's the direction you want to go.

Regards,

--dkg

Re: ssh-import-id [ In reply to ]

Dec 15, 2010, 5:25 PM

Post #10 of 17 (18140 views)

--On 15 December 2010 13:37:10 -0600 Dustin Kirkland <kirkland@ubuntu.com>
wrote:

> Right now, it works as the current user, on the current user's
> ~/.ssh/authorized_keys file.
>
> I'd use sudo and su to run ssh-import-id as another user, to operate
> on their authorized_keys file.

Sure it's possible (hell, it's possible to do the entire thing in
perl as we have demonstrated) but addition of a -u flag for root use
would save a whole pile of hassle.

--
Alex Bligh
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

Re: ssh-import-id [ In reply to ]

Dec 15, 2010, 8:25 PM

Post #11 of 17 (18131 views)

Dustin Kirkland wrote:
> > why not use SSH? Install *one* server's key, and pull the users'
> > keys over that connection.
..
> It's a bootstrapping issue. How do you get that "one" server's key
> there?

Same way you get the command in the boot script there.

How do you do that by the way? I assume Ubuntu server .isos do not
come with ssh-import-id kirkland in them. ;)

//Peter
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

Re: ssh-import-id [ In reply to ]

kirkland at ubuntu

Dec 16, 2010, 6:07 AM

Post #12 of 17 (18143 views)

On Wed, Dec 15, 2010 at 7:25 PM, Alex Bligh <alex@alex.org.uk> wrote:
>
>
> --On 15 December 2010 13:37:10 -0600 Dustin Kirkland <kirkland@ubuntu.com>
> wrote:
>
>> Right now, it works as the current user, on the current user's
>> ~/.ssh/authorized_keys file.
>>
>> I'd use sudo and su to run ssh-import-id as another user, to operate
>> on their authorized_keys file.
>
> Sure it's possible (hell, it's possible to do the entire thing in
> perl as we have demonstrated) but addition of a -u flag for root use
> would save a whole pile of hassle.

Fair enough ;-)

If that's a blocker to getting this tool upstream into openssh, I'll
gladly add a -u option.

:-Dustin
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

Re: ssh-import-id [ In reply to ]

Dec 16, 2010, 6:21 AM

Post #13 of 17 (18137 views)

--On 16 December 2010 08:07:03 -0600 Dustin Kirkland <kirkland@ubuntu.com>
wrote:

> If that's a blocker to getting this tool upstream into openssh, I'll
> gladly add a -u option.

To be clear, I have no commit rights and am a mere user, so am not
in a position to say it's a blocker. I'm just saying the more widely
useful it is, the better, and we'd need that for it to be useful.

Out of interest, in Scott's cloud-init stuff, I am pretty sure you
populate the ssh key for the ubuntu user whereas the script in
cloudinit runs as root. Does that mean you currently do:
su ubuntu ssh-import-id keyfile
or similar.

--
Alex Bligh
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

Re: ssh-import-id [ In reply to ]

smoser at ubuntu

Dec 16, 2010, 10:36 AM

Post #14 of 17 (18156 views)

On Thu, 16 Dec 2010, Alex Bligh wrote:

>
>
> --On 16 December 2010 08:07:03 -0600 Dustin Kirkland <kirkland at ubuntu.com>
> wrote:
>
> > If that's a blocker to getting this tool upstream into openssh, I'll
> > gladly add a -u option.
>
> To be clear, I have no commit rights and am a mere user, so am not
> in a position to say it's a blocker. I'm just saying the more widely
> useful it is, the better, and we'd need that for it to be useful.
>
> Out of interest, in Scott's cloud-init stuff, I am pretty sure you
> populate the ssh key for the ubuntu user whereas the script in
> cloudinit runs as root. Does that mean you currently do:
> su ubuntu ssh-import-id keyfile
> or similar.

Well, cloud-init has built in code that takes a authorized key from a
metadata service and install that into a configured user's directory.
(On ec2 it comes from http://
http://169.254.169.254/latest/metadata/public-keys).

If you have additional keys that you need inserted, or you'd rather just
not deal with launching instances with '--key <mykeyname>', then you can
use "user-data" in ec2 to run a script that would include something like:

#!/bin/sh
sudo -Hu ubuntu ssh-import-id smoser

I personally don't use the user data for this that much, but I do quite
often use ssh-import-id to pull in another developers keys to an existing
instance to show them something (ie failure/bug or just to share the
resource with them).

I agree that the following is possibly simpler:
ssh-import-id -u ubuntu smoser

But I really don't think terribly so. Also, I had a merge request that
will dump the keys to a file or stdout also, rather than writing them to
$HOME/.ssh/authorized_keys.

Scott
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

Re: ssh-import-id [ In reply to ]

smoser at ubuntu

Dec 16, 2010, 10:44 AM

Post #15 of 17 (18132 views)

On Thu, 16 Dec 2010, Peter Stuge wrote:

> Dustin Kirkland wrote:
> > > why not use SSH? Install *one* server's key, and pull the users'
> > > keys over that connection.
> ..
> > It's a bootstrapping issue. How do you get that "one" server's key
> > there?
>
> Same way you get the command in the boot script there.
>
> How do you do that by the way? I assume Ubuntu server .isos do not
> come with ssh-import-id kirkland in them. ;)

I think that its hard to argue that getting your ssh keys to a server is
not easier by
- logging into a system at the console, and then typing:
- ssh-import-id smoser
than
- logging into a system at the console, and then typing:
- plugging a USB key in, copying a .ssh key file off
~/.ssh/authorized_keys and getting perms right ...
(I guess some more elite than me might be able to type theirs from
memory.)

The thing that might be arguable is the trust in the system (depending on
https and networking and launchpad ... ). And I think that is being
argued also on this thread.

Trust aside, I personally find the utility very useful, as I would one
based on monkeysphere also.

Scott
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

Re: ssh-import-id [ In reply to ]

joachim at joachimschipper

Dec 17, 2010, 2:56 AM

Post #16 of 17 (18133 views)

On Thu, Dec 16, 2010 at 01:44:53PM -0500, Scott Moser wrote:
> On Thu, 16 Dec 2010, Peter Stuge wrote:
> > Dustin Kirkland wrote:
> > > Joachim Schipper wrote:
> > > > why not use SSH? Install *one* server's key, and pull the users'
> > > > keys over that connection.
> > > It's a bootstrapping issue. How do you get that "one" server's key
> > > there?
> > Same way you get the command in the boot script there.
> >
> > How do you do that by the way? I assume Ubuntu server .isos do not
> > come with ssh-import-id kirkland in them. ;)
> I think that its hard to argue that getting your ssh keys to a server is
> not easier by
> - logging into a system at the console, and then typing:
> - ssh-import-id smoser

So where did ssh-import-id come from?

> than
> - logging into a system at the console, and then typing:
> - plugging a USB key in, copying a .ssh key file off
> ~/.ssh/authorized_keys and getting perms right ...
> (I guess some more elite than me might be able to type theirs from
> memory.)

Just add the key to the base .iso.

Joachim
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

Re: ssh-import-id [ In reply to ]

kirkland at ubuntu

Jan 18, 2011, 1:50 PM

Post #17 of 17 (17966 views)

Thanks, everyone, for your insightful comments, discussion, and
pointers to other utilities!

In my reading of this thread, I do not see any concentrated interest
in the ssh-import-id utility by the upstream openssh project itself.
No worries by us -- we just thought we'd offer it, in case it were
interesting to other Unixes and Linuxes besides Ubuntu.

At this point, we are shipping the utility in a package of its own,
and available in a bzr repository. You can find all of these linked
from this project page:
* https://launchpad.net/ssh-import-id

The source code is available by branching with 'bzr branch
lp:ssh-import-id', or browsing:
* http://bazaar.launchpad.net/~ssh-import-id/ssh-import-id/trunk/files

The current code there is licensed under the GPLv3, but we would
gladly re-license it in the future to a compatible license, should
openssh ever grow an interest in this tool.

Thanks again for your consideration!

Cheers,
--
:-Dustin

Dustin Kirkland
Ubuntu Core Developer
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev