Comments for ssh-keyinstall

23 Jun 2008 11:31 nicc777

Thanks
Big thanks for a tool that just works :-)

25 Feb 2004 13:34 billw1955

patch to make chmod of local and remote home dir optional, default off
Ssh-keyinstall changes the permissions of the home directories of both the local user and the remote user to 700. In one case, this can be disastrous.

The problem case is the default solaris configuration - the home directory of user root is /. Running ssh-keyinstall with root/solaris on either or both sides results in services stopping and all other users being locked out of the machine(s).

The following patch makes the chmod optional and off by default. To force chmod of both remote and local directories to 700, use -m.

--- /usr/bin/ssh-keyinstall 2002-09-10 16:12:17.000000000 -0400
+++ ssh-keyinstall 2004-02-25 16:07:58.000000000 -0500
@@ -154,6 +154,7 @@
wrap '-h shows this help.' >&2
wrap '-v runs verbosely.' >&2
wrap '-t forces the remote server type to OPENSSH, COMSSH1 (commercial ssh 1), or COMSSH2. Use this if the autodetect fails.' >&2
+ wrap '-m forces old behavior of chmod both local and remote directories to 700. Default now is to leave permissions alone.' >&2
exit 1
}

@@ -163,7 +164,7 @@
showhelp
fi

-unset REMOTECOMMAND REMPORT SERVERNAME REMUSERNAME VERBOSE
+unset REMOTECOMMAND REMPORT SERVERNAME REMUSERNAME VERBOSE MODHOMEDIR
while [ -n "$1" ]; do
case $1 in
-c|--remote-command)
@@ -202,6 +203,10 @@
exit 1
fi
;;
+ -m|--mod-home-dir)
+ MODHOMEDIR='DOIT'
+ shift 1
+ ;;
-t|--server-type)
if [ -n "$2" ]; then
case "$2" in
@@ -403,7 +408,7 @@
fi

mkdir -p ~/.ssh ~/.ssh2 #We may not need both, but feel free to bill me for the lost 4K.
- chmod 700 ~ ~/.ssh ~/.ssh2
+ chmod 700 ${MODHOMEDIR:+~} ~/.ssh ~/.ssh2

case $CLIENTTYPE in
OPENSSH)
@@ -484,7 +489,7 @@
#being forced, the commands we're spcecifying won't be run. Do for all server sections.
# PASSONLY='-o "RSAAuthentication no" -o "PubkeyAuthentication no"' perhaps? good for openssh 2 client.
#FIXME set PASSONLY in each of the client tests above and user below.
- $SSHCommand ${REMUSERNAME}@${SERVERNAME} 'chmod 700 ~ ; mkdir -p ~/.ssh ; chmod 700 ~/.ssh ; rm -f ~/.ssh/newpubkey ~/.ssh/authorized_keys2.temp ; [ -f ~/.ssh/authorized_keys2 ] && cat ~/.ssh/authorized_keys2 >~/.ssh/authorized_keys2.temp'
+ $SSHCommand ${REMUSERNAME}@${SERVERNAME} "${MODHOMEDIR:+chmod 700 ~ ;} mkdir -p ~/.ssh ; chmod 700 ~/.ssh ; rm -f ~/.ssh/newpubkey ~/.ssh/authorized_keys2.temp ; [ -f ~/.ssh/authorized_keys2 ] && cat ~/.ssh/authorized_keys2 >~/.ssh/authorized_keys2.temp"
if [ -n "$REMOTECOMMAND" ]; then
$SSHCommand ${REMUSERNAME}@${SERVERNAME} "echo -n command=\\\"$REMOTECOMMAND\\\" ' ' >>~/.ssh/authorized_keys2.temp"
fi
@@ -506,7 +511,7 @@
wrap You will be asked to enter your remote password for each of the following commands. If you disagree with a particular command, or simply wish to perform it yourself, enter an incorrect password.
REMKEYNAME=${SSH2DSAPUBKEY##*/}
set -x
- $SSHCommand ${REMUSERNAME}@${SERVERNAME} 'chmod 700 ~ ; mkdir -p ~/.ssh2 ; chmod 700 ~/.ssh2'
+ $SSHCommand ${REMUSERNAME}@${SERVERNAME} "${MODHOMEDIR:+chmod 700 ~ ;} mkdir -p ~/.ssh2 ; chmod 700 ~/.ssh2"
set +x
wrap I need to check if the remote key name is already in use.
set -x
@@ -547,7 +552,7 @@
exit 1
fi
mkdir -p ~/.ssh
- chmod 700 ~ ~/.ssh
+ chmod 700 ${MODHOMEDIR:+~} ~/.ssh
if [ -f ~/.ssh/identity ] && [ -f ~/.ssh/identity.pub ]; then
debug Existing identity and identity.pub files, using those.
PRIVATEKEY=~/.ssh/identity #Don't quote the tilde's; they need to be expanded by the shell
@@ -603,7 +608,7 @@
#FIXME - temp auth file
wrap You will be asked to enter your remote password for each of the following commands. If you disagree with a particular command, or simply wish to perform it yourself, enter an incorrect password.
set -x
- $SSHCommand ${REMUSERNAME}@${SERVERNAME} 'chmod 700 ~ ; mkdir -p ~/.ssh ; chmod 700 ~/.ssh ; rm -f ~/.ssh/newpubkey'
+ $SSHCommand ${REMUSERNAME}@${SERVERNAME} "${MODHOMEDIR:+chmod 700 ~ ;} mkdir -p ~/.ssh ; chmod 700 ~/.ssh ; rm -f ~/.ssh/newpubkey"
$SCPCommand $SSH1PUBKEY ${REMUSERNAME}@${SERVERNAME}:.ssh/newpubkey
if [ -n "$REMOTECOMMAND" ]; then
$SSHCommand ${REMUSERNAME}@${SERVERNAME} "echo -n command=\\\"$REMOTECOMMAND\\\" ' ' >>~/.ssh/authorized_keys" ' ; cat ~/.ssh/newpubkey >>~/.ssh/authorized_keys ; chmod 600 ~/.ssh/authorized_keys ; rm -f ~/.ssh/newpubkey'

16 Apr 2001 08:58 wstearns

Re: Useful?

> #!/bin/sh
>
> ssh-keygen
> scp ~/.ssh/identity.pub
> $1:~/.ssh/authorized_keys
>
> Hmm, worth it.


For ssh1, that's just about it. What about ssh2? The soup of filenames and key conversions gets a lot uglier with the different flavors of ssh2.

- Bill

16 Apr 2001 08:21 blob

Useful?
#!/bin/sh

ssh-keygen

scp ~/.ssh/identity.pub $1:~/.ssh/authorized_keys

Hmm, worth it.

Screenshot

Project Spotlight

ReciJournal

An open, cross-platform journaling program.

Screenshot

Project Spotlight

Veusz

A scientific plotting package.