Linux Tips

  


[an error occurred while processing this directive]

No Title

[an error occurred while processing this directive]

Reference: Cisco: Internetworking Basics

Contents

Introduction

This guide presents the steps required to configure passwordless SSH connectivity between two Linux nodes for remote access. The user account used in this guide is oracle:


[oracle@vmlinux1 ~]$ id uid=501(oracle) gid=501(oinstall) groups=501(oinstall),502(dba),503(oper) [oracle@vmlinux2 ~]$ id uid=501(oracle) gid=501(oinstall) groups=501(oinstall),502(dba),503(oper)

Verify SSH Software is Installed

The supported version of SSH for Linux distributions is OpenSSH. OpenSSH should be included in the Linux distribution minimal installation. To confirm that SSH packages are installed, run the following on both nodes.


[root@vmlinux1 ~]# rpm -qa --queryformat "%{NAME}-%{VERSION}-%{RELEASE} (%{ARCH})\n"| grep ssh openssh-askpass-4.3p2-41.el5 (x86_64) openssh-clients-4.3p2-41.el5 (x86_64) openssh-server-4.3p2-41.el5 (x86_64) openssh-4.3p2-41.el5 (x86_64)

If you do not see a list of SSH packages, then install those packages for your Linux distribution. For example, load the CD/DVD into each of the nodes and perform the following to install the OpenSSH packages.


[root@vmlinux1 ~]# mount -r /dev/cdrom /media/cdrom [root@vmlinux1 ~]# cd /media/cdrom/Server [root@vmlinux1 ~]# rpm -Uvh openssh-* [root@vmlinux1 ~]# cd / [root@vmlinux1 ~]# eject

Configure Passwordless SSH Connectivity

The goal in this section is to setup user equivalence for the oracle OS user accounts on two Linux nodes. This will allow the oracle user account to run OS commands and copy files remotely without the need for a password.

Checking Existing SSH Configuration on the System

To determine if SSH is installed and running, enter the following command.


[oracle@vmlinux1 ~]$ pgrep sshd 3851 20714

If SSH is running, then the response to this command is a list of process ID number(s). Run this check on both nodes to verify the SSH daemons are installed and running.

You need either an RSA or a DSA key for the SSH protocol. RSA is used with the SSH 1.5 protocol, while DSA is the default for the SSH 2.0 protocol. With OpenSSH, you can use either RSA or DSA. The instructions that follow are for SSH1. If you have an SSH2 installation, and you cannot use SSH1, then refer to your SSH distribution documentation to configure SSH1 compatibility or to configure SSH2 with DSA.

Configure Passwordless SSH Keys

To configure passwordless SSH, you must first create RSA or DSA keys on each node, and then copy all the keys generated on all other nodes (if more than 2) into an authorized keys file that is identical on each node. Note that the SSH files must be readable only by root and by the OS user account (oracle) as SSH ignores a private key file if it is accessible by others. In the examples that follow, the DSA key is used.

To configure passwordless SSH, complete the following on all nodes.

Create SSH Directory and SSH Keys

Complete the following steps on each node.

  1. Log in to all nodes as the oracle OS user account.


    [root@vmlinux1 ~]# su - oracle

  2. To ensure that you are logged in as oracle and to verify that the user ID matches the expected user ID you have assigned to the oracle user, enter the commands id and id oracle. Verify that the user group and user and the user terminal window process you are using have group and user IDs that are identical.


    [oracle@vmlinux1 ~]$ id uid=501(oracle) gid=501(oinstall) groups=501(oinstall),502(dba),503(oper) [oracle@vmlinux1 ~]$ id oracle uid=501(oracle) gid=501(oinstall) groups=501(oinstall),502(dba),503(oper)

  3. Create the .ssh directory in the oracle user's home directory and set permissions on it to ensure that only the oracle user has read and write permissions.


    [oracle@vmlinux1 ~]$ mkdir ~/.ssh [oracle@vmlinux1 ~]$ chmod 700 ~/.ssh

     

    SSH configuration will fail if the permissions are not set to 700.

  4. Enter the following command to generate a DSA key pair (public and private key) for the SSH protocol. At the prompts, accept the default key file location and no passphrase (simply press [Enter] three times).


    [oracle@vmlinux1 ~]$ /usr/bin/ssh-keygen -t dsa Generating public/private dsa key pair. Enter file in which to save the key (/home/oracle/.ssh/id_dsa): [Enter] Enter passphrase (empty for no passphrase): [Enter] Enter same passphrase again: [Enter] Your identification has been saved in /home/oracle/.ssh/id_dsa. Your public key has been saved in /home/oracle/.ssh/id_dsa.pub. The key fingerprint is: 9b:9b:14:45:90:c0:8c:8b:47:08:ea:ac:f1:48:60:67 oracle@vmlinux1.idevelopment.info

    This command writes the DSA public key to the ~/.ssh/id_dsa.pub file and the private key to the ~/.ssh/id_dsa file.

    Never distribute the private key to anyone not authorized.

  5. Repeat steps 1 through 4 for all remaining nodes that you intend to use for passwordless remote connectivity.

Add All Keys to a Common authorized_keys File

Now that both nodes contain a public and private key for DSA, you will need to create an authorized key file (authorized_keys) on one of the nodes. An authorized key file is nothing more than a single file that contains a copy of everyone's (every node's) DSA public key. Once the authorized key file contains all of the public keys for each node, it is then distributed to all other nodes.

 

The oracle user's ~/.ssh/authorized_keys file on every node must contain the contents from all of the ~/.ssh/id_dsa.pub files that you generated on all nodes.

Complete the following steps on one of the nodes to create and then distribute the authorized key file. For the purpose of this example, I am using vmlinux1.

  1. From vmlinux1, determine if the authorized key file ~/.ssh/authorized_keys already exists in the .ssh directory of the owner's home directory. In most cases this will not exist since this guide assumes you are working with a new install. If the file doesn't exist, create it now.


    [oracle@vmlinux1 ~]$ touch ~/.ssh/authorized_keys [oracle@vmlinux1 ~]$ ls -l ~/.ssh total 8 -rw-r--r-- 1 oracle oinstall 0 Feb 2 15:07 authorized_keys -rw------- 1 oracle oinstall 668 Feb 2 14:57 id_dsa -rw-r--r-- 1 oracle oinstall 623 Feb 2 14:57 id_dsa.pub

    In the .ssh directory, you should see the id_dsa.pub public key that was created and the blank file authorized_keys.

  2. From vmlinux1, use SCP (Secure Copy) or SFTP (Secure FTP) to copy the public key (~/.ssh/id_dsa.pub) from all nodes to the authorized key file just created (~/.ssh/authorized_keys). Again, this will be done from vmlinux1. You will be prompted for the oracle OS user account password for each node.


    [oracle@vmlinux1 ~]$ ssh vmlinux1 cat ~/.ssh/id_dsa.pub >> ~/.ssh/authorized_keys The authenticity of host 'vmlinux1 (192.168.1.160)' can't be established. RSA key fingerprint is df:8d:4c:69:53:02:d8:a0:5e:08:be:a9:48:22:5d:dd. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added 'vmlinux1,192.168.1.160' (RSA) to the list of known hosts. oracle@vmlinux1's password: xxxxx [oracle@vmlinux1 ~]$ ssh vmlinux2 cat ~/.ssh/id_dsa.pub >> ~/.ssh/authorized_keys The authenticity of host 'vmlinux2 (192.168.1.162)' can't be established. RSA key fingerprint is 19:43:15:79:ae:ef:88:16:ea:77:03:1e:3f:e8:33:b7. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added 'vmlinux2,192.168.1.162' (RSA) to the list of known hosts. oracle@vmlinux2's password: xxxxx

    The first time you use SSH to connect to a node from a particular system, you will see a message similar to the following:


    The authenticity of host 'vmlinux1 (192.168.1.160)' can't be established. RSA key fingerprint is df:8d:4c:69:53:02:d8:a0:5e:08:be:a9:48:22:5d:dd. Are you sure you want to continue connecting (yes/no)? yes

    Enter yes at the prompt to continue. The public hostname will then be added to the known_hosts file in the ~/.ssh directory and you will not see this message again when you connect from this system to the same node.

  3. At this point, we have the DSA public key from every node in the authorized key file (~/.ssh/authorized_keys) on vmlinux1.


    [oracle@vmlinux1 ~]$ ls -l ~/.ssh total 16 -rw-r--r-- 1 oracle oinstall 1246 Feb 2 15:13 authorized_keys -rw------- 1 oracle oinstall 668 Feb 2 14:57 id_dsa -rw-r--r-- 1 oracle oinstall 623 Feb 2 14:57 id_dsa.pub -rw-r--r-- 1 oracle oinstall 808 Feb 2 15:13 known_hosts

    We now need to copy the authorized key file to the remaining nodes. In this example, the only remaining node is vmlinux2. Use the scp command to copy the authorized key file to all remaining nodes.


    [oracle@vmlinux1 ~]$ scp ~/.ssh/authorized_keys vmlinux2:.ssh/authorized_keys oracle@vmlinux2's password: xxxxx authorized_keys 100% 1246 1.2KB/s 00:00

  4. Change the permission of the authorized key file for each node as follows.


    [oracle@vmlinux1 ~]$ chmod 600 ~/.ssh/authorized_keys [oracle@vmlinux2 ~]$ chmod 600 ~/.ssh/authorized_keys

Enable SSH User Equivalency

After you have copied the authorized_keys file that contains all public keys to each node, complete the steps in this section to ensure passwordless SSH connectivity between all nodes is configured correctly.

When running the test SSH commands in this section, if you see any other messages or text, apart from the date and host name, then certain applications that expect passwordless SSH connectivity will fail. If any of the nodes prompt for a password or pass phrase then verify that the ~/.ssh/authorized_keys file on that node contains the correct public keys and that you have created an OS user account with identical group membership and IDs. Make any changes required to ensure that only the date and host name is displayed when you enter these commands. You should ensure that any part of a login script that generates any output, or asks any questions, is modified so it acts only when the shell is an interactive shell.

  1. Log in as the oracle OS user account.


    [root@vmlinux1 ~]# su - oracle

  2. If SSH is configured correctly, you will be able to use the ssh and scp commands without being prompted for a password or pass phrase from the terminal session.


    [oracle@vmlinux1 ~]$ ssh vmlinux1 "date;hostname" Thu Feb 2 15:26:57 EST 2012 vmlinux1.idevelopment.info [oracle@vmlinux1 ~]$ ssh vmlinux2 "date;hostname" Thu Feb 2 15:27:13 EST 2012 vmlinux2.idevelopment.info

  3. Perform the same actions above from any remaining nodes (vmlinux2) to ensure they too can access all other nodes without being prompted for a password or pass phrase and get added to the known_hosts file.


    [root@vmlinux2 ~]# su - oracle [oracle@vmlinux2 ~]$ ssh vmlinux1 "date;hostname" The authenticity of host 'vmlinux1 (192.168.1.160)' can't be established. RSA key fingerprint is df:8d:4c:69:53:02:d8:a0:5e:08:be:a9:48:22:5d:dd. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added 'vmlinux1,192.168.1.160' (RSA) to the list of known hosts. Thu Feb 2 15:35:45 EST 2012 vmlinux1.idevelopment.info [oracle@vmlinux2 ~]$ ssh vmlinux1 "date;hostname" Thu Feb 2 15:35:56 EST 2012 vmlinux1.idevelopment.info -------------------------------------------------------------------------- [oracle@vmlinux2 ~]$ ssh vmlinux2 "date;hostname" The authenticity of host 'vmlinux2 (192.168.1.162)' can't be established. RSA key fingerprint is 19:43:15:79:ae:ef:88:16:ea:77:03:1e:3f:e8:33:b7. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added 'vmlinux2,192.168.1.162' (RSA) to the list of known hosts. Thu Feb 2 15:37:03 EST 2012 vmlinux2.idevelopment.info [oracle@vmlinux2 ~]$ ssh vmlinux2 "date;hostname" Thu Feb 2 15:37:04 EST 2012 vmlinux2.idevelopment.info

  4. Certain GUI applications that require use of an X server may fail if not configured correctly. From a terminal session enabled for user equivalence, set the environment variable DISPLAY to a valid X Windows display.

    Bourne, Korn, and Bash Shells


    [oracle@vmlinux1 ~]$ DISPLAY=<Any X-Windows Host>:0 [oracle@vmlinux1 ~]$ export DISPLAY

    C Shell


    [oracle@vmlinux1 ~]$ setenv DISPLAY <Any X-Windows Host>:0

    After setting the DISPLAY variable to a valid X Windows display, you should perform another test of the current terminal session to ensure that X11 forwarding is not enabled.


    [oracle@vmlinux1 ~]$ ssh vmlinux1 hostname vmlinux1.idevelopment.info [oracle@vmlinux1 ~]$ ssh vmlinux2 hostname vmlinux2.idevelopment.info

     

    If you are using a remote client to connect to a node running a GUI application, and you see a message similar to: "Warning: No xauth data; using fake authentication data for X11 forwarding." then this means that your authorized keys file is configured correctly, however, your SSH configuration has X11 forwarding enabled. For example:


    [oracle@vmlinux1 ~]$ export DISPLAY=melody:0 [oracle@vmlinux1 ~]$ ssh vmlinux2 hostname Warning: No xauth data; using fake authentication data for X11 forwarding. vmlinux2.idevelopment.info

    Note that having X11 Forwarding enabled will cause most GUI applications to fail. To correct this problem, create a user-level SSH client configuration file for the OS user account (oracle) that disables X11 Forwarding.

    1. Using a text editor, edit or create the file ~/.ssh/config

    2. Make sure that the ForwardX11 attribute is set to no. For example, insert the following into the ~/.ssh/config file:


      Host *
      ForwardX11 no

About the Author

Jeffrey Hunter is an Oracle Certified Professional, Java Development Certified Professional, Author, and an Oracle ACE. Jeff currently works as a Senior Database Administrator for The DBA Zone, Inc. located in Pittsburgh, Pennsylvania. His work includes advanced performance tuning, Java and PL/SQL programming, developing high availability solutions, capacity planning, database security, and physical / logical database design in a UNIX / Linux server environment. Jeff's other interests include mathematical encryption theory, tutoring advanced mathematics, programming language processors (compilers and interpreters) in Java and C, LDAP, writing web-based database administration tools, and of course Linux. He has been a Sr. Database Administrator and Software Engineer for over 20 years and maintains his own website site at: http://www.iDevelopment.info. Jeff graduated from Stanislaus State University in Turlock, California, with a Bachelor's degree in Computer Science and Mathematics.



Copyright (c) 1998-2017 Jeffrey M. Hunter. All rights reserved.

All articles, scripts and material located at the Internet address of http://www.idevelopment.info is the copyright of Jeffrey M. Hunter and is protected under copyright laws of the United States. This document may not be hosted on any other site without my express, prior, written permission. Application to host any of the material elsewhere can be made by contacting me at jhunter@idevelopment.info.

I have made every effort and taken great care in making sure that the material included on my web site is technically accurate, but I disclaim any and all responsibility for any loss, damage or destruction of data or any other property which may arise from relying on it. I will in no case be liable for any monetary damages arising from such loss, damage or destruction.

Last modified on
Thursday, 02-Feb-2012 15:34:18 EST
Page Count: 12274