Re: apt-key says deprecated, but not saying what else to use

To: Dan Ritter <dsr@randomstring.org>
Cc: debian-user@lists.debian.org
Subject: Re: apt-key says deprecated, but not saying what else to use
From: Gene Heskett <gheskett@shentel.net>
Date: Sun, 20 Jun 2021 11:39:30 -0400
Message-id: <[🔎] 202106201139.30456.gheskett@shentel.net>
In-reply-to: <[🔎] 20210620142152.smwmolr4fccmba6y@randomstring.org>
References: <[🔎] 22e2d584-e8f9-d0c0-a7f7-b323fbcb3b65@debianlists.mobilxpress.net> <[🔎] 202106200845.31259.gheskett@shentel.net> <[🔎] 20210620142152.smwmolr4fccmba6y@randomstring.org>

On Sunday 20 June 2021 10:21:52 Dan Ritter wrote:

> Gene Heskett wrote:
> > I'd like to pleaed for a new apt-key, one that would survey the
> > existing list, and on finding a key that is expired or is no longer
> > associated, offer the option of removing it, or refreshiing it.
> >
> > I have up to 7 machines on my local network, usually accessed by
> > some ssh/sshfs variation, but my current keyring since I'm first
> > user, probably has 30 some keys, many of which are useless as the
> > target machine has been changed by a new machine and a new bare
> > metal install.
>
> This is ssh key management, not apt key management. apt key
> things are for trusting package repositories.
>
> > I consider those "dead" keys to be security risks. But at present,
> > there is not a means to identify and remove them that I am aware of.
> >
> > So I would plead for an apt-key replacement that would automate that
> > process. At the present state, my connection scripts to
> > re-establlish my local network after a reboot or power failure
> > recovery, are all blocked because of machine replacements/reinstalls
> > using the same ip address yadda yadda, so I must answer yes, then
> > supply my first user password for that machine because I do want to
> > continue connecting to that machine. That can rapidly turn into a
> > PITA.
>
> Here's what you should do:
>
> 1. create a new ssh keypair on your main machine:
>     ssh-keygen -t rsa -b 4096 -f gene2021
>
> 2. for each $targetmachine in your 7 machines, do this:
>     - ssh $targetmachine
>     - mv ~/.ssh/authorized_keys ~/.ssh/authorized_keys_old
>     - don't close that terminal
>     - open a new terminal and make sure you can ssh in by
>       password, then
>     - ssh-copy-id gene2021 $targetmachine
>     - make sure you can ssh in with the gene2021 key:
>       ssh -i gene2021 $targetmachine
>     - if it's good, close both terminals and go on to the next
>       $targetmachine
>
> 3. clean up: remove keys in ~/.ssh/  that aren't gene2021 and
>    aren't useful otherwise.
>
> Now you have one known good keypair that lets you in to all
> seven machines without a password, and you can use a password as
> fallback.
>
> Now, it sounds like you also have a problem with machines
> getting randomly assigned IP addresses. In a network of size 7,
> I would strongly advise you to stop using DHCP and just put in
> static IP assignments for each machine in
> /etc/network/interfaces.
>
> -dsr-
I haven't used dhcp in 23 years, don't even run a server in my dd-wrt 
router.  Used a hosts file on my first install in 1998, never saw an 
advantage to changing.

Sometimes a new machine gets added while the old one is still live and 
eventually gets renamed/readdressed when the old one has supplied its 
data to the new one and is turned off for good, but those keys remain.

Case in point, demoing side effects, I had a pair of ark shoeboxes 
running cnc machines in the garage and they started to fail a year ago 
so I bought 4 off-lease dell 7010's with 4 core i5's and 4 gigs of ram 
as thats a great plenty to run LinuxCNC. No drives, no winders licence. 
Cheap that way.

The old ark's with d525mw mobos were so noisy I had to be within 10 feet 
of the garage door motor to run it with a pocket pad.  After replacing 
the old arks with the dells, all with SSD's now, I found my pocket pad 
could run it from 80+ feet away.  The Dells were that much quieter. But 
they run 24/7 and I am seeing a rise in my electric bill from all those 
old i5's. But one got dedicated to running a 3d printer so got its dram 
filled up and its been shut down and rebooted a couple hundred times 
since with no problems in its SDD so I may start shutting them down but 
then when do I turn amanda loose to back them up? She doesn't like her 
schedule to be disturbed.

If I live long enough, I'm 86 now, I may convert them all to being run 
with rpi4's. Draws about 25 watts with its monitor, but runs a 4kw 
machine when LinuxCNC is running as the machines power is 100% 
controlled by LinuxCNC. And the rpi4 has more than enough giddyup to run 
LinuxCNC well. An rpi3 can do it too, but its being pushed. Part of that 
holdup is the cost of the interfacing to the pi's, over $200 a copy. 4 
mesa cards involved per copy.

Thanks for the instructs Dan, recipe printed, I'll see about doing the 
cleanup one machine at a time.

Cheers, Gene Heskett
-- 
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
If we desire respect for the law, we must first make the law respectable.
 - Louis D. Brandeis
Genes Web page <http://geneslinuxbox.net:6309/gene>

Reply to:

References:
- apt-key says deprecated, but not saying what else to use
  - From: Marco Möller <talby@debianlists.mobilxpress.net>
- Re: apt-key says deprecated, but not saying what else to use
  - From: Gene Heskett <gheskett@shentel.net>
- Re: apt-key says deprecated, but not saying what else to use
  - From: Dan Ritter <dsr@randomstring.org>

Prev by Date: Re: apt-key says deprecated, but not saying what else to use
Next by Date: Re: apt-key says deprecated, but not saying what else to use
Previous by thread: Re: apt-key says deprecated, but not saying what else to use
Next by thread: Re: apt-key says deprecated, but not saying what else to use
Index(es):
- Date
- Thread