Thursday, October 10, 2013

Quickly configuring password-less SSH between Unix Hosts

Sometimes, you need to do alot of stuff on dozens (in my case 65 nodes, all needed clustering and other configurations) so you would do the below to save you time.  There are security considerations though, so you want to probably reverse this at the end of your work.

So to make a long story short, these are the steps:

On the host you want to do this from, do the following:

cd ~/.ssh
ssh-keygen -t rsa
scp /root/.ssh/ remote-host:/root/.ssh/authorized_keys

This is what it will look like:

[root@linuxhost101 ~]# cd ~/.ssh
[root@linuxhost101 .ssh]# ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/
The key fingerprint is:
The key's randomart image is:
+--[ RSA 2048]----+
|                 |
|                 |
|        . . .    |
|       . o = =   |
|        S = X o  |
|         + = +   |
|       ..++.     |
|       .E.+.     |
|      .o...      |
[root@linuxhost101 .ssh]# 

Then in the above example, I wante to copy this to another 64 hosts:

[root@linuxhost101 .ssh]# scp /root/.ssh/ linuxhost102:/root/.ssh/authorized_keys
The authenticity of host 'linuxhost102 (' can't be established.
RSA key fingerprint is 1d:fa:90:54:9b:a3:59:a7:f9:12:85:09:0a:67:1b:d2.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'linuxhost102' (RSA) to the list of known hosts.
Red Hat Enterprise Linux Server release 6.2 (Santiago)
Kernel 2.6.32-220.el6.x86_64 on an x86_64

Password:                                                                                                                         100%  416     0.4KB/s   00:00    
[root@linuxhost101 .ssh]# scp /root/.ssh/ linuxhost103:/root/.ssh/authorized_keys

That's it, now when you ssh or scp anything to the 2nd host from the first, it will not prompt you for a password.  
Of course if you want to do this from more than one host, then just add to the authorized_keys file rather than overwriting it.... 
(like this:  cat .ssh/ | ssh root@ 'cat >> .ssh/authorized_keys'

IMPORTANT There is a bug in CentOS 6 / SELinux that results in all client presented certificates to be ignored when SELinux is set to Enforcing. To fix this simply:
[root@linux01 ~]# ssh root@ 'restorecon -R -v /root/.ssh'

Then it will work.  

Or you can just disable selinux altogether at  /etc/selinux/config : (you would then need to reboot)

* Addition: if you wanted to do this for multiple hosts, you could add the following in ~/.ssh/config:

Host *
    StrictHostKeyChecking no

or from command line: ssh -o StrictHostKeyChecking=no 

You then won't be prompted about whether you trust the host you are connecting to.