3

New to ServerFault, but have been on StackOverflow for a few months and loving it.

I work on a daily basis on 5 servers I have been setting up for some time now.

These servers are all AIX 7.1, and are quite similar, running all different environments of the same application.

I have the same user on all 5 of them, and their directory structure is pretty much the same.

I usually open putty sessions to all of them from my Windows laptop for my daily work, but there's also a lot of ssh and scp between them.

I want to set up SSH key-based authentication so as not to need to issue a password every time. Also to allow some automated scripts to run between them. Since I need this for automation also, I'm not planning on using ssh-agent but rather generating the key pair(s) with an empty passphrase. I'm aware it is less secure.

What I have been wondering is... what is the best approach? Should I generate a different key pair on each of the servers, and distribute each public key to the other 4? Or should I rather associate the key pair to the user (the same one on all 5 servers) and have a single key pair?

I'm not even sure this last idea is even possible since I would have a user logging in from server A (ssh client) to server B (ssh server), where the ssh server's key pair is the same as the ssh client's...? Or is it that only the client presents the keys to the server, and this is possible?

I guess I need to hit the SSH book and read more on it, but I thought I would throw it out there and see what others suggest.

James
  • 131
  • 2

1 Answers1

1

I have always generated a key per client device (device I'm ssh'ing from). This makes it easier to delete a potentially compromised key - eg. if I lose my tablet, delete the tablet key from all my servers.

For logging in from my local machine to a server, then to another server, ssh-agent can take care of that.

For scripts that SSH between servers, they get their own key, separate from my own, and unique to each server pair.

Grant
  • 17,859
  • 14
  • 72
  • 103
  • Thanks for the input. When in your last line you say "their own key [...] unique to each server pair", what exactly do you mean? Say if server A and server B ssh/scp between each other (with either one being able to initiate), then you would generate a public-private key-pair on server A, and a different public-private key-pair on server B, and then have each one copy its public key to the other. Is that what you are saying? – James Jan 28 '14 at 01:54
  • Exactly. If I had scripts which copied files back and forth, server A has KeyA, and server B has KeyB (With KeyB in server A's authorized keys file). – Grant Jan 28 '14 at 01:58
  • Ok, thanks. I wouldn't even be asking if it was just two servers, but with 5, where any can ssh/scp to any, the possible interactions grow. But yours is a valid approach, and I may very well end up going down that path. I'm still interested in seeing if there are any other opinions out there before I move on. :-) – James Jan 28 '14 at 02:05
  • 1
    Its a bit more work this way, but it means more control of which servers can connect to which, so you only give the minimum permissions you need to. – Grant Jan 28 '14 at 02:07