[K12OSN] RSH vs SSH (was some other topic)

Petre Scheie petre at maltzen.net
Wed Aug 4 13:59:54 UTC 2004


Gavin's How-to will no doubt cover all this, perhaps in a better way, 
but here's a quick-n-dirty way.  Use this expect script to allow any 
user to generate the id_dsa.pub file any interaction:

#!/usr/bin/expect -f
set timeout -1
spawn $env(SHELL)
match_max 100000
send -- "ssh-keygen -t dsa\r"
expect -exact ".ssh/id_dsa): "
send -- "\r"
expect -exact "for no passphrase): "
send -- "\r"
expect -exact "Enter same passphrase again: "
send -- "\r"
expect -exact "]$"

------------------------------------------------------
Note that the last line is telling expect to wait for the prompt before 
exiting the script.   Put this in a file called, say, 
/tmp/sshkeygen.exp, change its permissions to 755 (rwxr-xr-x) and then, 
as root, loop through all your user IDs, running su and calling 
sshkeygen.exp; for example:

for x in user1 user2 user3 user4
do
echo $x
su - $x -c /tmp/sshkeygen.exp
done

Now all your users will have ~/.ssh/id_dsa.pub files.  Copy each user's 
file to his/her respective ~/.ssh/authorized_keys2 file.  To do this it 
would probably be easiest to NFS export the /home directory on the app 
server, and mount it on the ltsp server, and then write a script that 
does something like

cp /home/${user}/.ssh/id_dsa.pub 
/appsrvmountpoint/${user}/.ssh/authorized_keys2

(be sure to get the permissions right on the authorized_keys2 file).  
Then you should be good to go.

Petre



Shawn Powers wrote:

> Les Bell wrote:
>
>> Putting my security professional's hat on, I would *strongly* recommend
>>
>> that you use ssh rather than rsh. There are too many other things 
>> that will
>>  
>>
> Fair enough Les, but do you (or anyone else) know some sort of "hands 
> free" way to script authorized_keys2 into everyone's .ssh directory?  
> My reasoning for rsh was none other than I didn't want to create a 
> public key for each user.  Is my thinking backwards?  If there is a 
> way I can get SSH do work as painlessly as rsh will (in theory, I've 
> never used rsh, but it's been around a while) I'm all ears.
>
> Anyone?
>
> Thanks,
> -Shawn
>
>
> _______________________________________________
> K12OSN mailing list
> K12OSN at redhat.com
> https://www.redhat.com/mailman/listinfo/k12osn
> For more info see <http://www.k12os.org>
>





More information about the K12OSN mailing list