Wednesday, February 25, 2015

adding pubkeys all over the place

security is good. let's just repeat that. disabling strict host key checking is bad. repeat that, too.
let's pretend you need to put pubkeys all over the place so that you can run a script all over the place.
let's say that you want to keep on doing your host key checking because, well, it is a good thing. but you are in a rush.
and you have like a zillion servers to check.

here's what you do:

user = fluffybunny
pass = likes.carrots
for ip_addr in $(cat nodes) ; do  
ping -q -c 1 $ip_addr &&  
expect -c "  
spawn ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -l $user $ip_addr  
expect \"?assword:*\"  
send -- \"$pass\r\"  
expect "~"  
send -- \"mkdir .ssh\r\"  
expect "~"  
send -- \"chmod 700 .ssh\r\"  
send \"exit\r\"  
spawn scp -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no authorized_keys2 $user@$ip_addr:/home/$user/.ssh/authorized_keys2  
expect \"?assword:*\"  
send -- \"$pass\r\"  
expect eof  
nb: you have a standard account across all systems. it is called "fluffybunny" the password is "likes.carrots". nodes is a file with all the nodes you need to pubkey.
Post a Comment