[K12OSN] RSH vs SSH (was some other topic)
Petre Scheie
petre at maltzen.net
Wed Aug 4 13:59:54 UTC 2004
Gavin's How-to will no doubt cover all this, perhaps in a better way,
but here's a quick-n-dirty way. Use this expect script to allow any
user to generate the id_dsa.pub file any interaction:
#!/usr/bin/expect -f
set timeout -1
spawn $env(SHELL)
match_max 100000
send -- "ssh-keygen -t dsa\r"
expect -exact ".ssh/id_dsa): "
send -- "\r"
expect -exact "for no passphrase): "
send -- "\r"
expect -exact "Enter same passphrase again: "
send -- "\r"
expect -exact "]$"
------------------------------------------------------
Note that the last line is telling expect to wait for the prompt before
exiting the script. Put this in a file called, say,
/tmp/sshkeygen.exp, change its permissions to 755 (rwxr-xr-x) and then,
as root, loop through all your user IDs, running su and calling
sshkeygen.exp; for example:
for x in user1 user2 user3 user4
do
echo $x
su - $x -c /tmp/sshkeygen.exp
done
Now all your users will have ~/.ssh/id_dsa.pub files. Copy each user's
file to his/her respective ~/.ssh/authorized_keys2 file. To do this it
would probably be easiest to NFS export the /home directory on the app
server, and mount it on the ltsp server, and then write a script that
does something like
cp /home/${user}/.ssh/id_dsa.pub
/appsrvmountpoint/${user}/.ssh/authorized_keys2
(be sure to get the permissions right on the authorized_keys2 file).
Then you should be good to go.
Petre
Shawn Powers wrote:
> Les Bell wrote:
>
>> Putting my security professional's hat on, I would *strongly* recommend
>>
>> that you use ssh rather than rsh. There are too many other things
>> that will
>>
>>
> Fair enough Les, but do you (or anyone else) know some sort of "hands
> free" way to script authorized_keys2 into everyone's .ssh directory?
> My reasoning for rsh was none other than I didn't want to create a
> public key for each user. Is my thinking backwards? If there is a
> way I can get SSH do work as painlessly as rsh will (in theory, I've
> never used rsh, but it's been around a while) I'm all ears.
>
> Anyone?
>
> Thanks,
> -Shawn
>
>
> _______________________________________________
> K12OSN mailing list
> K12OSN at redhat.com
> https://www.redhat.com/mailman/listinfo/k12osn
> For more info see <http://www.k12os.org>
>
More information about the K12OSN
mailing list