How to configure dual SSH keys? - SSH

This is a discussion on How to configure dual SSH keys? - SSH ; For reasons which are obscure but valid, I am trying to configure SSH so that for one particular target machine, I have separate Host and root keys, as well as a separate known_hosts and authorized_keys file. For all other machines ...

+ Reply to Thread
Results 1 to 5 of 5

Thread: How to configure dual SSH keys?

  1. How to configure dual SSH keys?

    For reasons which are obscure but valid, I am trying to configure SSH
    so that for one particular target machine, I have separate Host and
    root keys, as well as a separate known_hosts and authorized_keys file.
    For all other machines I use a second set of SSH keys and
    known_hosts/authorized_keys files in the standard locations.

    1. I can use separate SSH keys for root by specifying a Host-specific
    path via 'IdentityFile' in ssh_config.

    2. I can use a separate known_hosts file by specifying a Host-specific
    path via 'UserKnownHostsFile' in ssh_config.

    3. I haven't figured out how to use two authorized_keys files for
    root.

    4. I haven't figured out how to use two sets of Host keys.

    Any thoughts?

    thanks!

    mb

    (OpenSSH_4.3p2, OpenSSL 0.9.7i)


  2. Re: How to configure dual SSH keys?

    mb wrote:
    > For reasons which are obscure but valid, I am trying to configure SSH
    > so that for one particular target machine, I have separate Host and
    > root keys, as well as a separate known_hosts and authorized_keys file.
    > For all other machines I use a second set of SSH keys and
    > known_hosts/authorized_keys files in the standard locations.




    > 1. I can use separate SSH keys for root by specifying a Host-specific
    > path via 'IdentityFile' in ssh_config.


    > 2. I can use a separate known_hosts file by specifying a Host-specific
    > path via 'UserKnownHostsFile' in ssh_config.


    > 4. I haven't figured out how to use two sets of Host keys.


    Based on what input? A particular running OpenSSH is only going to have
    one set of host keys. You could connect to another server (perhaps
    running on another port) to access the alternate keys.

    Use HostKey with the alternate server to point to the alternate
    location.

    Then you can deny root access on the normal server and allow it on this
    one.

    > 3. I haven't figured out how to use two authorized_keys files for
    > root.


    Since you're going to need a separate server for #4, you can use that
    here. Use AuthorizedKeysFile to point to the location.

    --
    Darren Dunham ddunham@taos.com
    Senior Technical Consultant TAOS http://www.taos.com/
    Got some Dr Pepper? San Francisco, CA bay area
    < This line left intentionally blank to confuse you. >

  3. Re: How to configure dual SSH keys?

    >>>>> "mb" == mb writes:

    mb> For reasons which are obscure but valid,

    You need to state what you're trying to accomplish; otherwise, we can't
    help you much. What you're asking doesn't make much sense, as it stands.

    mb> I am trying to configure SSH so that for one particular target
    mb> machine, I have separate Host and root keys, as well as a separate
    mb> known_hosts and authorized_keys file.

    This is rather unclear. It's normal for all servers to have different
    hostkeys. The term "root key" is not standard; I'll guess you mean some
    client authentication keys normally used by the root account on the SSH
    client host. They would normally be different from the hostkeys, also.

    As for the known_hosts and authorized_keys files: the former is relevant
    on the client, not the server, while the latter is on the server but
    corresponds to an account, not a machine, so I don't know what you mean by
    a host having a "separate authorized_keys file."

    mb> 3. I haven't figured out how to use two authorized_keys files for
    mb> root.

    Again, state your goals: *why* do you want two authorized_keys files? In
    what different contexts would they be used? How would it be different
    from simply listing multiple keys in a single file?

    mb> 4. I haven't figured out how to use two sets of Host keys.

    I don't even know what this means. An SSH server has some number of host
    keys which it can offer to a client. Though theoretically you could offer
    different keys to different clients based on some criteria (actually, IP
    address is all you've got at that point), I know of no implementation that
    does this.

    Tell us what you're trying to do.

    --
    Richard Silverman
    res@qoxp.net


  4. Re: How to configure dual SSH keys?

    Darren Dunham wrote:

    > ...A particular running OpenSSH is only going to have
    > one set of host keys. You could connect to another server (perhaps
    > running on another port) to access the alternate keys.
    >
    > Use HostKey with the alternate server to point to the alternate
    > location.
    >
    > Then you can deny root access on the normal server and allow it on this
    > one.


    That sounds workable. Is there any reason why root access couldn't be
    allow for all clients, and the one special client would just connect
    explicitly to the second sshd's port?

    thanks for the suggestions!

    mb


  5. Re: How to configure dual SSH keys?

    mb wrote:
    > Darren Dunham wrote:
    >
    >> ...A particular running OpenSSH is only going to have
    >> one set of host keys. You could connect to another server (perhaps
    >> running on another port) to access the alternate keys.
    >>
    >> Use HostKey with the alternate server to point to the alternate
    >> location.
    >>
    >> Then you can deny root access on the normal server and allow it on this
    >> one.


    > That sounds workable. Is there any reason why root access couldn't be
    > allow for all clients, and the one special client would just connect
    > explicitly to the second sshd's port?


    Root access isn't a facility of the client, its a facility of the
    server. There's nothing special about the client (although you might be
    supplying some different arguments to it for connection information).

    So, yes you can allow root access on both servers, but that might not be
    getting you any extra security. (Of course you might not be looking for
    that).

    --
    Darren Dunham ddunham@taos.com
    Senior Technical Consultant TAOS http://www.taos.com/
    Got some Dr Pepper? San Francisco, CA bay area
    < This line left intentionally blank to confuse you. >

+ Reply to Thread