ssh: Re: keying a fresh sshd

From: Chris Rapier <rapier_at_**********.***>
Date: Wed Oct 11 2006 - 16:57:40 EDT

Carl Karsten wrote:
>
>
> Chris Rapier wrote:
>> You could do make install-nokeys on your linux box.
>
> um... huh? i have 2 linux boxes:

Ah, my mistake. I assumed that since you were writing to the list for
the windows version of openssh at least one of the boxes involved was
windows. No matter.

> BoxA is my main box that I use for day to day work. I run ssh on it to
> connect to BoxB (and other boxes)
>
> BoxB is the test box that gets wiped every few days.
>
>> This will maintain your current set of keys. If part of your test is
>> to actually test the keygen and installation then you want to look at
>> the CheckHostIP ssh client option. Try setting it to 'no'. I wouldn't
>> set it that way in the config file though.
>
> I would rather not dumb down BoxA (my normal box) or BoxA' (my laptop) -
> I also connect to real remote boxes (over the Net) so checking keys
> seems like a good idea. If I could turn it off for a particular host,
> that would be fine, but I don't think that is an option. Unless... is
> there a ssh command line switch? I looked at man ssh when this first
> started bugging me and couldn't find anything that helped.

Yes, everything in the config files is also a command line switch using
the '-o' options. EG: -o CheckHostIP=no

> Looking for just something I can do to BoxB. I have a post install
> script that runs, which can wget files from a local web server. my
> thought is to put a set of key files on there and just whack the ones
> that the "apt-get install openssh-server" generate.

Modify the install routine to use "make install-nokeys" instead of "make
install". This will prevent your box from generating new keys and
overwriting your olds one. I have no idea if apt-get will let you pass
options to the make command. If it doesn't I'd consider
A) only having apt-get fetch and build but not install. Then use a post
install script to run 'make install-nokeys'
B) See if the server apt-get is using also has CVS access to the same
packages. Write a script to have CVS check out the sources, build them,
and run 'make install-nokeys'

--
List Info:      http://erdelynet.com/ssh-l/
List Archives:  http://erdelynet.com/archive/ssh-l/
To Unsubscribe: Mail mailto:ssh+unsubscribe@erdelynet.com

Received on Wed Oct 11 16:57:47 2006

This archive was generated by hypermail 2.1.8 : Wed Oct 11 2006 - 16:57:48 EDT