Setup SSH Public Key for Another Machine Without Access – How to Guide

linuxsshssh-keys

This might be a stupid question but I have to ask it anyway:
I already did setup an ssh public key for my client machine A. I copied the public key to the remote server, everything works fine, I can log in from machine A.

Now I also want to access that server from another machine and following best practices, I wanted to generate another key for client machine B, rather than using the key from machine A again. Of course I can generate the key pair but I'm not able to copy that new public key to the server because client machine B has no access to server, only A has.

The only solution I see at the moment seems to be taking the new public key on a USB stick to client machine A and copy it to the server from there, but that seems to be a little tedious and not very practical when n machines are located rather far from each other.

What is the right approuch to do that?

The client and the server are both running Linux.

Best Answer

Not sure there is a right approach, you still need to access the server somehow and since the machine A is only access point for now, you still need to get it physically at least once as well as other n machines. So, why not to collect all pubkeys to the USB stick and move it to machine A to spread to the server's users' home .ssh config dirs?

Without USB stick there are some options also.

Var #1. Temporary enable password login on server from machine A. Generate keypairs and copy pubkeys to server from machines B, C, D, etc. just in normal way. Disable password login to server.

Var #2. If even temporary password login is considered as a security flaw, create a temporary user on server that has access nothing but its home directory, enable password login for this user only. Generate keypairs and copy pubkeys to server from machines B, C, D, etc. to this user's home directory. Pubkey is not a confidential and its potential hidjaking is considered to be a safe situation, however its spoofing is not, so you may consider encrypting or signing it somehow (gpg). Login to server from machine A, spread pubkey to server's users, disable the temporary user used.

Var #3. If the ssh server reboot is not an option, you could make machine A to be a temporary ssh server and use it as a intermediate station to copy ssh pubkeys to the real server.

Var #4. Use another communication channel (another remote server, maybe even public one, e-mail, etc.). Once again, pubkey is not a confidential, but make sure to sign them to protect from spoofing.

Related Solutions

SSH Key – How to Create a Public Key from a Private Key

Use the -y option to ssh-keygen:

ssh-keygen -f ~/.ssh/id_rsa -y > ~/.ssh/id_rsa.pub

From the 'man ssh-keygen'

 -y      This option will read a private OpenSSH format file and print an
         OpenSSH public key to stdout.

Specify the private key with the -f option, yours might be dsa instead of rsa. The name of your private key probably contains which you used. The newly generated public key should be the same as the one you generated before.

Linux – How to Automatically Add New Host to known_hosts

Set the StrictHostKeyChecking option to no, either in the config file or via -o :

ssh -o StrictHostKeyChecking=no username@hostname.com

Best Answer

Related Solutions

SSH Key – How to Create a Public Key from a Private Key

Linux – How to Automatically Add New Host to known_hosts

Related Topic