ssh-keysync is a bunch of scripts, which put all the stored ssh-public-keys of your clients together into on ssh_known_hosts file which ever client will download.
This provides more security against ssh man-in-the-middle attacks.
The idea:
- There is a server machine, which has all ssh public keys of all your client/servers stored locally
(This could be easily done at installation time. Think of FAI.) - On that server ssh-keysync-merge is run, which will put all client keys together to on ssh_known_hosts file.
For each host key it will figure out the FQDN, possbile second host names if you have multiple domains and the IP address and build an entry include all these information. (This process is run every hour by default.)
The built ssh_known_hosts file is put into an public folder on a webserver to which all clients have access. (for exmaples) - All client machines pull the ssh_known_hosts file and save it to /etc/ssh/ssh_known_hosts (Every hour might be usefull as well)
- From now on it should be possible to decide wether the ssh key on the remote machine has changed or not, because of all clients knowing the correct key. (Assuming the admin didnĀ“t do anything bad.)
Where can I get this?
Debian packages
You can install ssh-keysync directly from APT
Put the follwing line(s) into the /etc/apt/sources.lists on your machines.
On the client you will need to install rbm-ssh-keysync-client on the ssh-keysync server machine rbm-ssh-keysync-server is needed.
deb http://debian.rfc2324.org/debian/ stable main
deb http://debian.rfc2324.org/debian/ unstable main
deb http://debian.rfc2324.org/debian/ unstable main
Newest version from GIT
To get copy of my GIT repository I manage ssh-keysync in type:
git clone http://git.rfc2324.org/repositories/ssh-keysync.git/