Re: apt-key says deprecated, but not saying what else to use

To: Gene Heskett <gheskett@shentel.net>
Cc: debian-user@lists.debian.org
Subject: Re: apt-key says deprecated, but not saying what else to use
From: Dan Ritter <dsr@randomstring.org>
Date: Sun, 20 Jun 2021 10:21:52 -0400
Message-id: <[🔎] 20210620142152.smwmolr4fccmba6y@randomstring.org>
In-reply-to: <[🔎] 202106200845.31259.gheskett@shentel.net>
References: <[🔎] 22e2d584-e8f9-d0c0-a7f7-b323fbcb3b65@debianlists.mobilxpress.net> <[🔎] 5fc8634b-d000-bb8d-275f-329f95fdcddd@darac.org.uk> <[🔎] 202106200845.31259.gheskett@shentel.net>

Gene Heskett wrote: 
> I'd like to pleaed for a new apt-key, one that would survey the existing 
> list, and on finding a key that is expired or is no longer associated, 
> offer the option of removing it, or refreshiing it.
> 
> I have up to 7 machines on my local network, usually accessed by some 
> ssh/sshfs variation, but my current keyring since I'm first user, 
> probably has 30 some keys, many of which are useless as the target 
> machine has been changed by a new machine and a new bare metal install.

This is ssh key management, not apt key management. apt key
things are for trusting package repositories.

> I consider those "dead" keys to be security risks. But at present, there 
> is not a means to identify and remove them that I am aware of.
> 
> So I would plead for an apt-key replacement that would automate that 
> process. At the present state, my connection scripts to re-establlish my 
> local network after a reboot or power failure recovery, are all blocked 
> because of machine replacements/reinstalls using the same ip address 
> yadda yadda, so I must answer yes, then supply my first user password 
> for that machine because I do want to continue connecting to that 
> machine. That can rapidly turn into a PITA.

Here's what you should do:

1. create a new ssh keypair on your main machine:
    ssh-keygen -t rsa -b 4096 -f gene2021

2. for each $targetmachine in your 7 machines, do this:
    - ssh $targetmachine
    - mv ~/.ssh/authorized_keys ~/.ssh/authorized_keys_old
    - don't close that terminal 
    - open a new terminal and make sure you can ssh in by
      password, then
    - ssh-copy-id gene2021 $targetmachine
    - make sure you can ssh in with the gene2021 key:
      ssh -i gene2021 $targetmachine
    - if it's good, close both terminals and go on to the next
      $targetmachine

3. clean up: remove keys in ~/.ssh/  that aren't gene2021 and
   aren't useful otherwise.

Now you have one known good keypair that lets you in to all
seven machines without a password, and you can use a password as
fallback.

Now, it sounds like you also have a problem with machines
getting randomly assigned IP addresses. In a network of size 7,
I would strongly advise you to stop using DHCP and just put in 
static IP assignments for each machine in
/etc/network/interfaces.

-dsr-

Reply to:

Follow-Ups:
- Re: apt-key says deprecated, but not saying what else to use
  - From: Charles Curley <charlescurley@charlescurley.com>
- Re: apt-key says deprecated, but not saying what else to use
  - From: Gene Heskett <gheskett@shentel.net>
- Re: apt-key says deprecated, but not saying what else to use
  - From: Gene Heskett <gheskett@shentel.net>
- Re: apt-key says deprecated, but not saying what else to use
  - From: Jonathan Dowland <jon+debian-user@dow.land>

References:
- apt-key says deprecated, but not saying what else to use
  - From: Marco Möller <talby@debianlists.mobilxpress.net>
- Re: apt-key says deprecated, but not saying what else to use
  - From: Darac Marjal <mailinglist@darac.org.uk>
- Re: apt-key says deprecated, but not saying what else to use
  - From: Gene Heskett <gheskett@shentel.net>

Prev by Date: Re: apt-key says deprecated, but not saying what else to use
Next by Date: Re: apt-key says deprecated, but not saying what else to use
Previous by thread: Re: apt-key says deprecated, but not saying what else to use
Next by thread: Re: apt-key says deprecated, but not saying what else to use
Index(es):
- Date
- Thread