Saturday, August 14, 2010

Configuring Passwordless SSH


For any cluster configuration the 1st requirement would be to configure passwordless ssh (key based authentication) for root and application user.  Many system administrators know the steps but often spend lots of time troubleshooting  just because  missing one or two small steps.   I put together the required steps to configure passwordless with a couple of troubleshooting steps.
Configuring Passwordless SSH
Please follow the below steps to configure password-less ssh.  In this example I am configuring password-less ssh between two servers for pwssh user on vcsnode1 server and vcsuser user on vcsnode2 server.
1.  Enable key based authentication in the SSH Configuration file and restart sshd daemon.
[root@vcsnode1 log]# cat /etc/ssh/sshd_config | grep -i -a1 pubkey
#RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile      .ssh/authorized_keys
[root@vcsnode1 log]#
2.  Login on any of the server with the username for which you want to configure password-less ssh.
3.  Generate a key (RSA or DSA) using the following command. You can choose any type of key (RSA or DSA).  RSA stands for RivestShamir and Adleman who first publicly described it.  It is the first algorithm known to be suitable for signing as well as encryption.  DSA stands for Digital Signature Algorithm (DSA). It is a is aUnited States Federal Government standard or FIPS for digital signatures.  For more details on RSA and DSA please visit the below URL’s.
DSA - http://en.wikipedia.org/wiki/Digital_Signature_Algorithm
RSA - http://en.wikipedia.org/wiki/RSA
Generating RSA Key
[pwssh@vcsnode1 ~]$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/pwssh/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/pwssh/.ssh/id_rsa.
Your public key has been saved in /home/pwssh/.ssh/id_rsa.pub.
The key fingerprint is:
25:86:97:70:ee:c1:c5:98:82:72:7a:81:2d:94:14:33 pwssh@vcsnode1
[pwssh@vcsnode1 ~]$
Generating DSA Key
[pwssh@vcsnode1 ~]$ ssh-keygen -t dsa
Generating public/private dsa key pair.
Enter file in which to save the key (/home/pwssh/.ssh/id_dsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/pwssh/.ssh/id_dsa.
Your public key has been saved in /home/pwssh/.ssh/id_dsa.pub.
The key fingerprint is:
77:6e:44:17:ed:e2:55:e5:3a:97:c6:dc:a3:40:3b:9d pwssh@vcsnode1
[pwssh@vcsnode1 ~]$
Note : Make sure you do not provide any passphrase.  If you provide the passphrase, you would have to provide the passphrase while connecting to the server through ssh (as good as providing the password).
4.  Once you generate the key, it would create two files in $HOME/.ssh folder for the user as given below.
[pwssh@vcsnode1 ~]$ ls -l $HOME/.ssh
total 16
-rw——- 1 pwssh pwssh  668 Jan  4 23:40 id_dsa
-rw-r–r– 1 pwssh pwssh  604 Jan  4 23:40 id_dsa.pub
[pwssh@vcsnode1 ~]$
5.  Copy the id_dsa.pub key to other server.
[pwssh@vcsnode1 ~]$ scp $HOME/.ssh/id_dsa.pub vcsuser@vcsnode2:/home/vcsuser
vcsuser@vcsnode2′s password:
id_dsa.pub                                                                                                                            100%  604     0.6KB/s   00:00
[pwssh@vcsnode1 ~]$
6.  Login to remote host (vcsnode2 in this case) and copy the public key to authorized_keys file  in $HOME/.ssh folder for the target user on remote host (Home directory of vcsuser user on vcsnode2 server in this case).
[vcsuser@VCSNode2 ~]$ cat id_dsa.pub >> .ssh/authorized_keys
[vcsuser@VCSNode2 ~]$
7.  Follow the steps from 1-5 on the remote host.
8.  Check whether password-less ssh is working by executing the following command.
[pwssh@vcsnode1 .ssh]$ ssh vcsuser@vcsnode2 date
Fri Jan 22 21:16:27 IST 2010
[pwssh@vcsnode1 .ssh]$
Troubleshooting Password-Less SSH
After performing all the above steps, if ssh is asking password while connecting to the remote host,  please check the following.
1. Key Based authentication must be enabled in the SSH Configuration file (In case of openssh, the config file would be /etc/ssh/sshd_config).
2. Permissions of  $HOME/.ssh folder (.ssh folder in home directory of user) should be 700 (drwx——)
3.  Permissions on  authorized_keys file in $HOME/.ssh folder should be 740
4.  Permissions on  id_dsa or id_rsa (depending upon the algorithm type used) file in $HOME/.ssh folder should be 600
5.  Permissions on  id_dsa.pub or id_rsa.pub file in $HOME/.ssh folder should be 640
6.  Permissions on known_hosts files in $HOME/.ssh folder should be 640.
7.  Make sure the $HOME/.ssh folder and all the above mentioned files in $HOME/.ssh folder has correct ownership (example.  If you logged in using pwssh user then the ownership on the .ssh folder and all the files inside .ssh folder should be pwssh:pwssh).
If you find any discrepancies in your configuration,  correct it and you should be able to access the remote server without password.