This script tries to export ssh public keys to specified sites.
It will walk the user through generating key pairs if it doesn't find
any to export. It handles all the fiddly details, like remembering
the ssh keyfile names, updating the
authorized_keys and making sure local and remote
permissions are correct. It tells you what it's doing if it has to
change anything.
Each name@host argument is the name of a host where your public keys should be installed. If it contains a @, the part before the @ will be clipped off and used as the login name. Otherwise your local login name will be used.
Note: this script does not parse your ssh configuration — therefore, if you have specified a different remote user in your configuration, this script will not know that. You can use the user@host syntax to force the remote username.
On any remote Linux system using selinux, the security context of
root's authorized_keys is restored whenever
it is modified or deleted.
If either of the files
~/.config/sshexport or
~/.ssh/sshexport.rc exists, places where you
install keys will be recorded in it, along with the password used to
access the host and the port (if non-default). This record will also
be updated when you use the check option, so you can use that option
to check sites where you may have previously installed keys and add
them to the list. Entries are edited when you delete remote keys; the
key is deleted, but not the password and port information.
Beware that if your account is cracked, this record will offer
the intruder a menu of other systems to attack, escalating security
risks. Thus, to enable the recording feature, you must explicitly
create ~/.ssh/sshexport.rc or
~/.config/sshexport.rcusing
touch(1)
or some other means. This tool will not create the file for you. Also,
it checks permissions on these files at startup and bails out with a
message if they are not limited to the owning user.
Invoked with the -h option, the program prints
a usage summary and exits.
Invoked with the -c option, the program checks
your local and remote ssh configuration for problems without changing
anything (except that your record of where you have installed keys is
updated).
The -p option allows you to set a port number, overriding the default 22. This may be useful if you have a firewall and port forwarding setup. Port numbers are recorded if you have recording set up.
Invoked with the -d option, the program deletes
any public keys under the specified login at the specified host. The
password and the -p option need not be specified if an entry was
recorded for this host. The configuration entries for any such keys
are also removed, but not port and password information.
The -r force-installs your keys on all sites
recorded in your installation log. By removing your keys (to force a
key pair generation) you can ship new keys to all sites.
The -v option says to report all commands and
responses during the session. It's mainly useful for debugging.
Sites where keys have been installed may be recorded in
~/.sshexport or
~/.config/sshexport. (the second location
is preferred if ~/.config) exists.
This program relies on ptys to work correctly in combination with exec, but some implementations (notably under FreeBSD) don't. Suspect this if you see termination with the message "Remote ls returned empty string, bailing out"
If you encounter this or any other bug, the first thing to do is run with -v and see if that clarifies matters. If not, send the maintainer a session transcript.
Eric S. Raymond <esr@thyrsus.com>.
There is a project web page at http://www.catb.org/~esr/sshexport/.