0

I'm faced with the typical problem of having created an ssh key on a client and wanting to update the server's authorized_keys to contain the new client's public key.

From searching the forums I have seen many suggestions to use scp or ssh-copy-id.

However, both of these require login to the server. For security reasons, I would prefer not accepting any password login on my server, so I'm looking for a way to communicate the client's public key to the server without login.

So first question: Is there an accepted method for this?

I was thinking about using the SSH_ORIGINAL_COMMAND variable so that the client would do something like

ssh dummy@server `cat mykey.pub`

and in the server I would be able to use the logs to see the connection attempt (and failure since the key is unknown) and copy the original command. However, I have seen that in /var/log/secure, the connection attempt and failure are logged, but the command sent with it is not.

Which leads to the second question: Is this information logged in any other log?

If not, I had the idea of creating a user (let's say "dummy") on the server who would use its .ssh/authorized_keys to specify a forced command for all login attempts. I have already seen that doing this gives me indeed access to the SSH_ORIGINAL_COMMAND variable, which I can write to a file somewhere. The problem here is that I can only specify a forced command for a specific public key... but I would need to do it for any key.

So third question: is it possible to specify in authorized_keys a command for any key?

If not, my last solution is to indeed accept a password connection for user dummy on the server, but make sure the user cannot do anything other than calling my script with an argument (the public key) in order to ensure security.

Is this possible?

cd127
  • 121
  • 1
  • 4
  • You could set the shell for the `dummy` user to your command. – Thom Wiggers Apr 03 '15 at 16:26
  • You could login via a key instead of a password, plenty of sftp clients allow this and are easy to work with – user2813274 Apr 03 '15 at 16:26
  • Also why would you want to allow people to add keys to accounts, without logging in? That is pretty much as bad as setting each password to `password`. – Thom Wiggers Apr 03 '15 at 16:27
  • @Thom, I don't want to allow people to add keys to my server, I want to "see" this key on my server somewhere, so that I can manually copy it and, after verification, add it to my authorized_keys. – cd127 Apr 04 '15 at 09:16
  • @user2813274 could you please elaborate? – cd127 Apr 04 '15 at 09:17
  • like [this](http://stackoverflow.com/a/17134004/2813274) for example – user2813274 Apr 04 '15 at 16:31
  • @user2813274 thanks for your input but I don't see how it applies. In the thread you link to they are talking about a solution with a GUI - that's not what I want - and with a correct setup of ssh key pairs...which is exactly what I do not have and cannot have, because my problem is to send the public key to the server in the first place! – cd127 Apr 18 '15 at 20:50

0 Answers0