Re: apt-key says deprecated, but not saying what else to use
Gene Heskett wrote:
> I'd like to pleaed for a new apt-key, one that would survey the existing
> list, and on finding a key that is expired or is no longer associated,
> offer the option of removing it, or refreshiing it.
>
> I have up to 7 machines on my local network, usually accessed by some
> ssh/sshfs variation, but my current keyring since I'm first user,
> probably has 30 some keys, many of which are useless as the target
> machine has been changed by a new machine and a new bare metal install.
This is ssh key management, not apt key management. apt key
things are for trusting package repositories.
> I consider those "dead" keys to be security risks. But at present, there
> is not a means to identify and remove them that I am aware of.
>
> So I would plead for an apt-key replacement that would automate that
> process. At the present state, my connection scripts to re-establlish my
> local network after a reboot or power failure recovery, are all blocked
> because of machine replacements/reinstalls using the same ip address
> yadda yadda, so I must answer yes, then supply my first user password
> for that machine because I do want to continue connecting to that
> machine. That can rapidly turn into a PITA.
Here's what you should do:
1. create a new ssh keypair on your main machine:
ssh-keygen -t rsa -b 4096 -f gene2021
2. for each $targetmachine in your 7 machines, do this:
- ssh $targetmachine
- mv ~/.ssh/authorized_keys ~/.ssh/authorized_keys_old
- don't close that terminal
- open a new terminal and make sure you can ssh in by
password, then
- ssh-copy-id gene2021 $targetmachine
- make sure you can ssh in with the gene2021 key:
ssh -i gene2021 $targetmachine
- if it's good, close both terminals and go on to the next
$targetmachine
3. clean up: remove keys in ~/.ssh/ that aren't gene2021 and
aren't useful otherwise.
Now you have one known good keypair that lets you in to all
seven machines without a password, and you can use a password as
fallback.
Now, it sounds like you also have a problem with machines
getting randomly assigned IP addresses. In a network of size 7,
I would strongly advise you to stop using DHCP and just put in
static IP assignments for each machine in
/etc/network/interfaces.
-dsr-
Reply to: