Manual Synchronization of Keys

Lee Painter

If your SSH server does not support the AuthorizedKeysCommand directive (< OpenSSH .6.8) you can alternatively set up a periodic synchronization of keys from the JADAPTIVE Key Server.

Each account's public keys are accessible using a public URL on the Key Server. These can be accessed via the scripts installed as part of our Installing Synchronization Scripts article. These scripts can be configured to periodically run and update the authorized_keys file for an account you want to integrate with the key server.

To understand how to configure an account and how to provide access to Key Server users you should consult the article Configuring Accounts for Access. The remaining content of this article assumes you have set up an account and that some users have been assigned access.

The Synchronization Script

After you have installed the Key Server scripts package you will have access to the keyserver-sync script. You can manually execute this script for any user to see their authorized keys. 

Execute the script passing the home directory and then the username of the user. 

keyserver-sync /root root

If you have configured the users' account correctly and assigned some Key Server users executing the script will return the accounts authorized keys. All you need to do is to set this up to execute periodically to synchronize with the users' authorized_keys file.

Please note, that execution of this script alone does not change the users' authorized_keys file. You need to pipe the output of the command into this file when you want to perform the update. This allows you to check that the account is set up correctly before you automate the update.

Automating the Script

You can set up the script to execute periodically with crontab. How often is up to you but normally you would rotate your keys every couple of months, so a daily or twice daily update should suffice. 

Edit the users' crontab; if the user is not root you can edit the users' crontab directly from the root account using:

crontab -e -u bob

Or if you are root and are setting up access for root then

crontab -e

Place a new line in the crontab, for example, the following will synchronize keys every 4 hours for root.

0 */4 * * * keyserver-sync /root root > ~/.ssh/authorized_keys

Just change the users' home directory and username to suit the account you are configuring. If you are setting up many accounts then changing the time within the hour it synchronizes to ensure your server does not get a single hit of lots of requests would be advisable. To do this just change the first digit from 0 to 15 to have it synchronize at 15 minutes past every 4th hour. If you want a longer period, for example, */4 to */12 will synchronize every 12 hours.