Monday, July 6, 2015

Creating SSH trust quickly


                                                        Creating SSH trust quickly


For various reasons we would need to create ssh trust between 2 nodes for specific user Id's in this post I will describe a quick way to create trust using "ssh-copy-id". We are using "ssh-copy-id" since this will save significant time and effort to copy keys around to create the trust.

1) Run below command to check lists of public key parameters of all identities currently represented by the agent


ssh-add -L

If you get below output it means agent doesn't have public key for the user.


[root@node1 ~]# ssh-add -L
Could not open a connection to your authentication agent.
[root@node1 ~]#


2) Generate rsa keys for the user via below step and ensure rsa key is generated under ".ssh" folder .

[root@node1 .ssh]# ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
fc:e6:d0:05:bd:b2:8e:c3:fb:05:31:e9:ec:ef:fa:81 root@node1.mycluster.com
The key's randomart image is:
+--[ RSA 2048]----+
|                 |
|           o     |
|          = .    |
|       . o + .   |
|        S = o    |
|         + *     |
|       .. E o    |
|        o* o .   |
|        o+=++    |
+-----------------+
[root@node1 .ssh]# ls
id_rsa  id_rsa.pub  known_hosts
[root@node1 .ssh]#

3) Now add RSA identities to authentication agent and then verify public key parameters for user is currently represented by the agent

[root@node1 .ssh]# ssh-add
Identity added: /root/.ssh/id_rsa (/root/.ssh/id_rsa)
[root@node1 .ssh]# ssh-add -L
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAwJMQfl9uq0saggFvyEkRE9+FfSAcTjhrKm/OCrG3zudOF5S63W0SSTmn6LdjKspIN+4pewVswVCOfAvbAeHojZu//5020kQt+OY76TvtUFU/YXFaKJElqKs9x9UvPCnCkIDDCJaaYC9nwAbuK6gEf78rqVIbN2uCrKyeA8WNg6EFnaFX/uCnxuikRYZCo88008KnAjvI1guF8AjDRfodJBnrYVdKRaxgwY2VVZ8MkEquTAVRnR2emnGcnZuwy4+4mByMzPKu5c+0zqB/vCFAvVL8uqB8RpEzuz91knenNtYB5sYyFdr0QEZXNTrlAOPJ1gYRHoWEn9Gdqd4jqtyyvw== /root/.ssh/id_rsa

NOTE: - If for some specific reason your ssh shell cannot make connection with authentication agent use below command which will start the agent and pid gets assigned to it.
eval "$(ssh-agent)"


[root@node1 .ssh]# eval "$(ssh-agent)"
Agent pid 2334
[root@node1 .ssh]#


4) Use ssh-copy-id to install public key form local node in a remote machine’s authorized_keys. It will ask the password once while the trust is being created.

[root@node1 .ssh]# ssh-copy-id -i root@10.10.70.108
root@10.10.70.108's password: 
Now try logging into the machine, with "ssh 'root@10.10.70.108'", and check in:

  .ssh/authorized_keys

to make sure we haven't added extra keys that you weren't expecting.

[root@node1 .ssh]#

5) Verify trust does work.  Below we can see we can directly ssh to 10.10.70.108 node without entering password.

[root@node1 .ssh]# ssh 10.10.70.108
Last login: Mon Jul  6 12:21:25 2015 from node1
[root@node3 ~]#


Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)