From the Canyon Edge -- :-Dustin

Wednesday, February 1, 2012

ssh-import-id gaining some steam

My Google Alerts and IRC highlights have been firing almost daily with references to ssh-import-id, a handy utility I co-authored with my buddy Scott Moser a couple of years ago.

That's quite exciting to me actually, as I find the tool really, really useful, and I wish more people knew about it.  I tried in vain to contribute it to the OpenSSH project, as a complement to ssh-copy-id, but it never landed there.  Oh well.  There's rarely a day that goes by that I don't use it, actually.  I frequently use virtual machines in public clouds;  usually EC2 but not exclusively.  I often want to share that machine with a colleague.  Rather than sharing a password, I simply:

$ ssh-import-id edygarcia sergio-pena
INFO: Successfully authorized [edygarcia] 
INFO: Successfully authorized [sergio-pena]

And now, I just share the hostname or IP with Eddie and Sergio and they can SSH into this machine and authenticate using their SSH keypair.

Reviewing what actually happened...

  1. ssh-import-id looped over each of the arguments on the command line, which are typically Launchpad user IDs
  2. Fetched each user's public keys from
  3. Validated each key's syntax
  4. And concatenated the results to the local ~/.ssh/authorized_keys file
The methodology is secure in that:
  • I know what each of my colleague's Launchpad IDs are, and that's easier to remember than their SSH fingerprints
  • I know that they had to authenticate with Launchpad to upload their SSH public keys
  • I know that the communication between my system and Launchpad was authenticated and private as it used https with a valid SSL certificate
Note that I've uploaded a couple of minor fixes to ssh-import-id in the last 2 weeks that more accurately validates the contents of the public keys retrieved from Launchpad (thanks, Soren for one of those).

You can always grab the latest version from ppa:launchpad/ssh-import-id, though perhaps I should SRU some of these changes to Lucid/Natty/Oneiric.  Anyone willing to test and validate those SRUs, if I propose and upload them?