SSH Key rotation to remote servers

167 admin June 6, 2024 Migration & Maintenance, Security Features 9762

How to rotate the Ezeelogin key pair from Gateway to remote servers?

How to rotate the key pair from the Ezeelogin server to the remote servers?

Synopsis: To regenerate the key manually, First, we will run the command to regenerate the key, followed by which we will open the parallel shell simultaneously and run the highlighted key in a parallel shell that we'll receive while regenerating a key(we'll be copying the newly generated key on remote servers). And later press Enter and Check the Global key from GUI to confirm the changes.

Step 1. To generate the new 4192-bit key pair in the Ezeelogin jump host installation, run the following command on the gateway server.

Global key now support ed25519, ecdsa, dsa, and rsa key types starting from Ezeelogin version 7.37.8. Refer to the article to upgrade to the latest version.

- The generated private key would be encrypted and cannot be retrieved.

- The maximum supported private key size would be 4192 bits.

Step 1. Enter the following command to reset the global key. This will regenerate ed25519 key by default.

root@jumpserver:~# /usr/local/ezlogin/eztool.php -regenerate_ssh_key

Step 2. Run the highlighted command using the parallel shell to copy the new public key to all servers.

The idea would be to copy the newly generated public key to /root/.ssh/authorized_keys on the remote servers.

####################################

# Ezeelogin Tool #

####################################

Checking environment... done

Checking license... done

Enter Ezeelogin administrator password: admin1234

Regenerate SSH key pair...

- New SSH key pair generated. Execute the following command on all remote servers using parallel shell feature to add the new public key in authorized keys:

echo 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG6UB77XUIYCSUvy8c1qCE58S2voNOBeXIl66ozjeADn ezlogin' >> ~/.ssh/authorized_keys

NOTE:

You should execute the above command on all remote servers using the parallel shell feature to add the new public key in authorized keys and Wait for the parallel shell execution to complete before pressing any key to return to the command line.

After it is done, press enter key to continue...

Step 3. Wait for the parallel shell execution to complete before pressing any key to return to the command line.

This will ensure that the new public_key is copied across all servers.

Step 4: User can view the updated global key from GUI under Servers -> Global key

Step 4: User can view the updated global key from CLI. Run below command.

root@gateway ~]# cat /usr/local/etc/ezlogin/id_key.pub
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG6UB77XUIYCSUvy8c1qCE58S2voNOBeXIl66ozjeADn ezlogin

How to regenerate global key pair with specific key type?

Step 1: Refer help option for regenerating the global key pair.

root@gateway ~]# /usr/local/ezlogin/eztool.php -- -help

-regenerate_ssh_key : Regenerate Global SSH key
-ssh_key_type : Global SSH key type (ed25519, ecdsa, dsa, rsa) for SSH to remote devices. Note: All remote machines should support this key type. (only for -regenerate_ssh_key)

Step 2: Run below command and replace key type to generate global key pair with mentioned key type.

root@jumpserver:~# /usr/local/ezlogin/eztool.php -regenerate_ssh_key -ssh_key_typeecdsa

Different types of SSH authentication keys

4 people found this article helpful what about you?