Skip to Content

SSH Key rotation to remote servers

167  admin July 12, 2024  Migration & Maintenance, Security Features

How to rotate the Ezeelogin key pair from Gateway to remote servers?

OverviewThis article describes manually regenerating a key, executing the command to generate it, distributing the new key across remote servers via a parallel shell, and verifying changes in the Global key through the GUI.

Step 1. To generate the new 4192-bit key pair in the Ezeelogin jump host installation, run the following command on the gateway server.

The global key now supports ed25519ecdsaDSA, and RSA key types starting from Ezeelogin version 7.37.8. 

Refer to the article to upgrade to the latest version.

- The generated private key would be encrypted and cannot be retrieved.

- The maximum supported private key size would be 4192 bits.

Step 1. Enter the following command to reset the global key. This will regenerate the ed25519 key by default.

root@jumpserver:~# /usr/local/ezlogin/eztool.php -regenerate_ssh_key

Step 2. Run the highlighted command using the parallel shell to copy the new public key to all servers.

             The idea would be to copy the newly generated public key to /root/.ssh/authorized_keys on the remote servers.

####################################

# Ezeelogin Tool                   #

####################################

Checking environment... done

Checking license... done

Enter Ezeelogin administrator password: admin1234

Regenerate SSH key pair...

- New SSH key pair generated. Execute the following command on all remote servers using parallel shell feature to add the new public key in authorized keys:

echo 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG6UB77XUIYCSUvy8c1qCE58S2voNOBeXIl66ozjeADn ezlogin' >> ~/.ssh/authorized_keys

NOTE:

You should execute the above command on all remote servers using the parallel shell feature to add the new public key in authorized keys and Wait for the parallel shell execution to complete before pressing any key to return to the command line.

After it is done, press enter key to continue...

Step 3. Wait for the parallel shell execution to complete before pressing any key to return to the command line.

             This will ensure that the new public_key is copied across all servers.

Step 4: The user can view the updated global key from GUI under Servers -> Global key

or Step 4: The user can view the updated global key from CLI. Run the below command.

root@gateway ~]# cat /usr/local/etc/ezlogin/id_key.pub
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG6UB77XUIYCSUvy8c1qCE58S2voNOBeXIl66ozjeADn ezlogin

  • How to regenerate a global key pair with a specific key type?

Step 1: Refer help option for regenerating the global key pair.

root@gateway ~]# /usr/local/ezlogin/eztool.php -- -help

-regenerate_ssh_key : Regenerate Global SSH key
-ssh_key_type : Global SSH key type (ed25519, ecdsa, dsa, rsa) for SSH to remote devices. Note: All remote machines should support this key type. (only for -regenerate_ssh_key)

Step 2: Run the below command and replace the key type to generate a global key pair with the mentioned key type.

root@jumpserver:~# /usr/local/ezlogin/eztool.php -regenerate_ssh_key -ssh_key_typeecdsa

Related Articles:

How to reset cluster keys in Ezeelogin Master-slave Configuration?

Different types of SSH authentication keys.
Rating: 5 (2 Votes)