7

Is it good practice to copy SSH IDs a la ssh-copy-id between remote servers in production, so that they can perform various SSH tasks with one another easier?

In particular, I'm setting up SSH tunnels and don't like to have to look up the very arcane passwords those servers have set. If I ssh-copy-id between the servers that are participating, is this a security risk?

Matt Joiner
  • 191
  • 1
  • 8

1 Answers1

10

Is it good practice to copy SSH IDs a la ssh-copy-id between remote servers in production, so that they can perform various SSH tasks with one another easier?

Yes, absolutely. Keep separate keys for each system, assigned to accounts with the least-needed privileges on each server. If possible use the command= directive in the authorized_keys file to restrict each key to a specific command, instead of having access to a full shell.

Another good practice you should do ASAP is to disable password authentication.

EEAA
  • 109,363
  • 18
  • 175
  • 245
  • My concern is that if one of these servers is compromised, they're able to SSH any other server that recognizes its host key. That is, any of those other servers I've done ssh-copy-id to from the compromised server, and without any additional requirements on their part (such as the password, that isn't stored on the server). – Matt Joiner Jun 22 '15 at 14:29
  • 2
    OK, the only system you should be copying your keys around from is your workstation. Period. Your private key gets generated there, and it should never be copied elsewhere. There's no good reason your private key should ever need to be copied elsewhere. – EEAA Jun 22 '15 at 15:15
  • 1
    Sorry I think you misunderstand. I have my workstation, and remote servers A, and B. I want A and B to be able to SSH each other without entering their individual passwords. My workstation doesn't come into it. My concern is that if A or B is compromised, so is the other. – Matt Joiner Jun 22 '15 at 15:42
  • 4
    In that case, keep separate keys for each system, assigned to accounts with the least-needed privileges on each server. If possible use the `command=` directive in the authorized_keys file to restrict each key to a specific command, instead of having access to a full shell. – EEAA Jun 22 '15 at 15:50
  • Those keys aren't for root, are they? Use least privilege to minimize the impact that a compromise on A could have on B. Chroot where possible or as @EEAA said, command restrictions. – Aaron Copley Jun 22 '15 at 18:44
  • Why weren't passphrases suggested? This seems to solve all the problems I mentioned. – Matt Joiner Sep 23 '15 at 00:29
  • Because you are setting up SSH authentication between servers for automated tasks. Having to enter a passphrase each time a cron job runs doesn't sound like a good time to me. – EEAA Sep 23 '15 at 00:36