SSH Key rotation to remote servers

167 admin October 5, 2024 Migration & Maintenance, Security Features 11735

How to rotate the Ezeelogin key pair from Gateway to remote servers?

Overview: This article explains the process of manually regenerating the key by running the command to generate it, distributing the new key across remote servers via a parallel shell, and verifying changes in the Global key through the GUI.

Step 1: To generate the new 4192-bit key pair in the Ezeelogin jump host installation, run the following command on the gateway server. This will reset the global key and will regenerate the ed25519 key by default.

root@gateway:~# /usr/local/ezlogin/eztool.php -regenerate_ssh_key

Step 2: Run the highlighted command using the parallel shell to copy the new public key to all servers. The idea would be to copy the newly generated public key to /root/.ssh/authorized_keys on the remote servers.

####################################

# Ezeelogin Tool #

####################################

Checking environment... done

Checking license... done

Enter Ezeelogin administrator password: admin1234

Regenerate SSH key pair...

- New SSH key pair generated. Execute the following command on all remote servers using parallel shell feature to add the new public key in authorized keys:

echo 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG6UB77XUIYCSUvy8c1qCE58S2voNOBeXIl66ozjeADn ezlogin' >> ~/.ssh/authorized_keys

Note:

Execute the above command on all remote servers using the parallel shell feature to add the new public key in authorized keys and Wait for the parallel shell execution to complete before pressing any key to return to the command line

After it is done, press enter key to continue...

Step 3: Wait for the parallel shell execution to complete before pressing any key to return to the command line. This will ensure that the new public_key is copied across all servers.

Step 4: The user can view the updated global key from GUI under Servers -> Global key

Step 4(A): The user can also view the updated global key from CLI. Run the below command on the gateway server.

root@gateway:~# cat /usr/local/etc/ezlogin/id_key.pub
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG6UB77XUIYCSUvy8c1qCE58S2voNOBeXIl66ozjeADn ezlogin

How to regenerate a global key pair with a specific key type?

Step 1: Refer help option for regenerating the global key pair. Run below command on the gateway server to view the help menu.

root@gateway:~# /usr/local/ezlogin/eztool.php -- -help

-regenerate_ssh_key : Regenerate Global SSH key
-ssh_key_type : Global SSH key type (ed25519, ecdsa, dsa, rsa) for SSH to remote devices. Note: All remote machines should support this key type. (only for -regenerate_ssh_key)

Step 2: Run the below command on the gateway server and replace the key type to generate a global key pair with the mentioned key type.

root@gateway:~# /usr/local/ezlogin/eztool.php -regenerate_ssh_key -ssh_key_type ecdsa

Note:

The global key now supports ed25519, ecdsa, DSA, and RSA key types starting from Ezeelogin version 7.37.8.

Refer to the article to upgrade to the latest version.

- The generated private key would be encrypted and cannot be retrieved.

- The maximum supported private key size would be 4192 bits.

Related Articles:

How do cluster keys in the Ezeelogin Master-slave Configuration be reset?

Different types of SSH authentication keys.

4 people found this article helpful what about you?