I have to configure hadoop cluster. For that it is required that all systems should be able to ssh each other in passwordless mode. Due to security, I have allowed only key based ssh (no password). There are 5 systems in cluster. I have to generated single key value pair. How to configure all other systems to use this key pair only such that they can ssh each other in passwordless mode.
I'm assuming you mean Linux machines.
There must be a ~/.ssh directory chmod 700 on each machine under the account that will originate or receive the connections.
The (private) key must be generated without a password.
Don't forget that by default weak (<2048 bit) keys are not accepted by ssh recently.
The following must be done to originate a connection.
Your private key must be placed in ~/.ssh/id_rsa or ~/.ssh/id_dsa as appropriate. You may use another name, but then it must be included on a -i option on the machine originating the request to explicitly indicate the private key.
Your private key must be chmod 600.
Now for allowing a machine to receive a request:
Your public key must be placed in a file called ~/.ssh/authorized_keys under the account that will receive the connections. You may place other keys that are allowed to connect via this account in here as well. A particularly tricky thing if you are in vi and pasting the key into the file from the paste buffer in PuTTY is that the key starts with a "ssh-". If you are not in insert mode, the first "s" will put vi in insert mode and the rest of the key will look just fine. But you'll be missing an "s" at the beginning of the key. It took days for me to find that.
I like to chmod 600 ~/.ssh/authorized_keys, but it's usually not required.
Now, you must have the host fingerprint added to the cache. Go to machine A, and ssh to machine B. The first time, you will get a query like "Do you want to add . . . to the host key cache?". This will stop your automated process very effectively. You have a few choices, which are up to your situation: a. manually ssh 20 times from each of 5 machines to the other 4 and say "yes". b. You could get the file called "known_hosts" (this is what ssh calls the "cache") and combine entries so that the same host_keys can be copied to all machines. c. You can put host fingerprints in /etc/ssh/ssh_known_hosts. d. Put the fingerprints in DNS (see man ssh). e. Just turn it off (NOT RECOMMENDED) by setting StrictHostKeyChecking in your ssh configuration.
Related
I have created ssh keys and registered my public key on the target host under .ssh/.authorized_keys.
And it also generally works. I just observe a strange behavior: When I try to login the first time in the morning, I see "Server refused our key" and get forced to enter my passphrase. Any consecutive attempts then work fine and I see in the console output that it's registering with my key.
If I don't log in for a longer time, then a new login would show the same behavior as above and I get forced to enter my passphrase.
So I was wondering: Is there maybe a configurable value that prevents me registering with my key after certain time that I can just increase or deactivate?
You may find your answer here. Some servers are configured to verify the hosts before they can login for the first time.
https://unix.stackexchange.com/questions/42643/ssh-key-based-authentication-known-hosts-vs-authorized-keys
We can make SSH automatically write new host keys to the known_hosts file by setting StrictHostKeyChecking to “no” in the ~/.ssh/config file.
StrictHostKeyChecking=no
My target is to set up git on my Linux server box so I can commit/push through a batch file from my windows machine.
I was hoping for something similar to how I did it with svn in the past, such that I could create a user that had certain read/write privileges. I am more than happy for it to be ssh key dependant.
Thus far every time I try to put an ssh key on my computer and on the server, it just ignores it and makes its own:
The authenticity of host 'xxx.xxx.xxx.xxx (xxx.xxx.xxx.xxx)' can't be established.
RSA key fingerprint is xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx
Are you sure you want to continue connecting (yes/no)?
And this means I have to insert a password every time so my batch file solution won't work.
I placed the key on my windows machine both in "C:/Users/Ryan/.ssh/" and "C:/Program Files (x86)/Git/.ssh/" in the msysgit installation directory. I also installed it onto my server to the suggested git user. I did the basic installation following the git documentation:
- Generated myself an SSH key using puttygen.
- Copied it to my server and cat'd it to authorized_keys in /home/git/.ssh/
- Init'd bare git repository etc.
I can push/pull but I have to use the RSA fingerprint and use the git account password to log in rather than using an ssh key.
Am I doing something wrong is it actually supposed to work like this?
I haven't fully read into making a git daemon instead, perhaps that is what I am after?
Make sure you are starting a DOS session with git-cmd.bat from your msysgit distribution: that will set the HOME environment variable properly (usually %USERPROFILE%).
The public (id_rsa.pub) and private (id_rsa) keys need to be in %HOME%\.ssh.
The message The authenticity of host should only occurs one, at the first ssh connection. Once it is done, don't delete the %HOME%\.ssh\known_hosts file it has created.
My ssh configuration inside /root/.ssh/config:
Host *
IdentityFile /root/.ssh/id_rsa_api
IdentityFile /root/.ssh/id_rsa_ui
I use these keys to be able to clone GitHub repositories. However, only the first IdentityFile (API) works. For the second, it says Repository not found as I start cloning. When I swap the configuration like:
Host *
IdentityFile /root/.ssh/id_rsa_ui
IdentityFile /root/.ssh/id_rsa_api
This way I can clone the UI, but not the API. As a consequence, I see that the keys are correct, but the second IdentityFile is always ignored. What could the problem be?
I cannot use ssh-add because I configure ssh inside a Dockerfile and ssh-agent is not running when the container is build.
Do you have any other keys besides the two you've listed in the question? The OpenSSH server sshd will drop a client after too many failed authentication attempts. If you have enough keys, your client may be trying all of them and being dropped before it gets through all of the keys you've listed. Running ssh with the -v parameter will show which keys ssh tries to use to authenticate.
The sshd_config parameter MaxAuthTries determines how many times a client can attempt to authenticate. The default is 6.
If this is the problem, you may be able to avoid it by setting the ssh_config parameter IdentitiesOnly. This prevents your client from using identities that didn't come from the ssh configuration files. Another thing to consider is to use more specific Host or Match directives, so you only apply a key to the specific hosts where the key should be used.
https://developer.github.com/guides/managing-deploy-keys/#deploy-keys
Deploy keys only grant access to a single repository. More complex
projects may have many repositories to pull to the same server
So I dropped using deploy keys. Instead I created an ssh key that allows access to all of my private repositories. This way I have a single IdentityFile.
I have a public/private key pair for ssh connections to a server S, but now, even if do a ssh to another device that does't need any key authentication, I always have the message:
> ssh user#192.168.0.10
Enter passphrase for key '/home/user/.ssh/id_dsa':
user#192.168.0.10's password:
Usually I hit enter in the first question (leaving it blank) and I type the user's password in the second question.
But as I want to write some scripts to automatize some things, the "Enter passphrase for key '/home/user/.ssh/id_dsa': " message bothers me.
Why it appears for every connection request? Can I do something so it won't ask me that for every connection? Just with the server S?
Thanks
Assuming you're using Linux ssh-agent to store your keys so you don't have to keep typing it.
Using ssh-agent to manage your keys
Based on this ServerFault answer:
ssh -o PubkeyAuthentication=no host.example.org
To avoid typing it every single time, you can add something like this to ~/.ssh/config
Host host.example.org
PubkeyAuthentication no
After password-less ssh-login, is there any way in Linux to retrieve the identity of the remote-user that logged in?
I would like to take some different actions in the login-scripts,
depending on from which remote host/userid I do ssh-login.
The originating system's username is not recorded unless you use something like this answer - i.e. push the username as part of the connection. The remote host is encoded in the SSH_CLIENT environment variable, so that can be determined.
You could try to finger the remote system, but that requires fingerd to be running, which is not a common service these days.
You'll have better luck using specific keys for users, which can have options set at the start of the key such as environment="NAME=value" in the authorized_keys file to kind-of determine the remote user that connected. e.g.
environment="REMOTEUSER=fred" ssh-rsa <blahblahkey> <comment>
The use of the environment option in the key will only work if you've got PermitUserEnvironment set in the sshd config, otherwise the line in the authorized_keys gets ignored and you'll be prompted for a password.