passwordless ssh from one host to another host

mahmoodn · 03-10-2011, 07:35 AM

How can I configure the openssh in such a way that all users from a system with IP address A connect to system with IP address B without password?

EricTRA · 03-10-2011, 07:43 AM

Hello,

Check this thread here on LQ for the use of hosts.allow and/or hosts.deny. In regards to your question about not using a password, set up key authentication for the users, it takes some work to create and 'activate' the keys but once it's done you're set to go. This site explains it pretty well for Debian based systems but should be applicable (with or without modification depending on your distro) to other systems.

Kind regards,

Eric

mahmoodn · 03-10-2011, 07:44 AM

Quote:

Check this thread here on LQ

Sorry which thread?
I am using ubuntu server 10.04

EricTRA · 03-10-2011, 07:48 AM

Quote:

Originally Posted by mahmoodn

Sorry which thread?
I am using ubuntu server 10.04

Hi,

Sorry about that. Here's the link to it. Sometimes I hit the Submit button way to fast

Kind regards,

Eric

mahmoodn · 03-10-2011, 08:09 AM

I read them. Currently I am doing the same thing as http://www.debian-administration.org...ad_of_password says.
on client I create a public key and copy that to the server. Then I can ssh without password to the server from client.

However if there are 10 clients and one server, for each user I have to do the task 10 times which is tedious. More automated (script like) method is needed.

The detail explanation of my question is:

suppose the server has IP address 192.168.1.1 with subnet 255.255.255.0 and the 10 workstations (computing node) are in the same subnet. Now I want to configure the ssh server in such a way that all machines in 192.168.1.X do ssh with each other without any password for all users who have account on the server.

Reuti · 03-10-2011, 08:14 AM

You can use hostbased authentication, this will also keep each user’s ~/.ssh/known_hosts clean as they are globally defined already.

mahmoodn · 03-10-2011, 08:20 AM

That is exactly what I am looking for. I will try that.

EricTRA · 03-10-2011, 08:28 AM

Hi,

@Reuti: nice one, never tried it before but will sure put it to use with your tutorial.

@OP: Are you saying that all nodes will do SSH between each other AND to the server? Aside from that, you refer to users having an account on the server, do you mean they need to authenticate to the server before being able to SSH to another node? Either way, using SSH keys on a user base or on a host base as pointed out by Reuti will take some 'work' you have to put in it. Of course you can automate a lot by scripting but for a task that simple you'd probably put in more time in the script then in the actual configuration I think.

Kind regards,

Eric

mahmoodn · 04-25-2011, 03:01 AM

@Reuti
I am trying to setup that procedure on a different cluster. So here is the problem

There is no /etc/ssh/ssh_known_hosts in the server

EricTRA · 04-25-2011, 03:06 AM

Quote:

Originally Posted by mahmoodn

@Reuti
I am trying to setup that procedure on a different cluster. So here is the problem

There is no /etc/ssh/ssh_known_hosts in the server

Hi,

Having a look at the manual by Reuti, you probably need to create that file.

Kind regards,

Eric

mahmoodn · 04-25-2011, 03:28 AM

1- what about the ssh_rsa phrase?
node01,192.168.0.1 ssh-rsa AAAAB3NzaC1yc2EAAA...

2- there is no /usr/lib64/ssh/ssh-keysign

Code:

root@server:/etc/ssh# ssh_keysign
ssh_keysign: command not found

I don't know if this system has the complete things. openssh-server is installed

EricTRA · 04-25-2011, 03:55 AM

Hello,

Look for the file using locate:

Code:

locate ssh-keysign

On my computer it's in /usr/lib/openssh/. Also as pointed out by Reuti in his manual:

Quote:

One file needs to run as root, but it isn’t installed by default on Linux to include the SUID bit in some distributions, so you have to execute:

$ chmod u+s /usr/lib64/ssh/ssh-keysign

The location of the file may vary on your system.

Of course you need to change the path to the file to reflect your installation.

Kind regards,

Eric

mahmoodn · 04-25-2011, 04:29 AM

This is what I did from scratch:

Code:

root@server:~# cat /etc/ssh/ssh_config | grep "yes"
#   ForwardX11Trusted yes
#   RSAAuthentication yes
#   PasswordAuthentication yes
   HostbasedAuthentication yes
   EnableSSHKeysign yes
#   CheckHostIP yes
    HashKnownHosts yes
    GSSAPIAuthentication yes

root@server:~# cat /etc/ssh/sshd_config | grep "yes"
UsePrivilegeSeparation yes
PermitRootLogin yes
StrictModes yes
RSAAuthentication yes
PubkeyAuthentication yes
IgnoreRhosts yes
HostbasedAuthentication yes
#IgnoreUserKnownHosts yes
# To enable empty passwords, change to yes (NOT RECOMMENDED)
# Change to yes to enable challenge-response passwords (beware issues with
#PasswordAuthentication yes
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#GSSAPICleanupCredentials yes
X11Forwarding yes
PrintLastLog yes
TCPKeepAlive yes
# Set this to 'yes' to enable PAM authentication, account processing,
UsePAM yes

root@server:~# cat /etc/ssh/ssh_known_hosts
client,192.168.1.3

root@server:~# chmod u+s /usr/lib/openssh/ssh-keysign
root@server:~#

On the client (note that I used chroot from server to client while logging in the server):

Code:

root@server:/# cat /etc/hosts.equiv
server

root@server:/# cat /etc/ssh/shosts.equiv
server

root@server:/# cat etc/ssh/sshd_config | grep "yes"
UsePrivilegeSeparation yes
PermitRootLogin yes
StrictModes yes
RSAAuthentication yes
PubkeyAuthentication yes
IgnoreRhosts yes
HostbasedAuthentication yes
#IgnoreUserKnownHosts yes
# To enable empty passwords, change to yes (NOT RECOMMENDED)
# Change to yes to enable challenge-response passwords (beware issues with
#PasswordAuthentication yes
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#GSSAPICleanupCredentials yes
X11Forwarding yes
PrintLastLog yes
TCPKeepAlive yes
# Set this to 'yes' to enable PAM authentication, account processing,
UsePAM yes

root@server:/# cat etc/ssh/ssh_config | grep "yes"
#   ForwardX11Trusted yes
#   RSAAuthentication yes
#   PasswordAuthentication yes
#   CheckHostIP yes
    HashKnownHosts yes
    GSSAPIAuthentication yes

root@server:/# cat etc/ssh/ssh_known_hosts
server,192.168.1.1

After that I restart ssh on server:

Code:

root@server:~# /etc/init.d/ssh restart
 * Restarting OpenBSD Secure Shell server sshd                                 [ OK ]

root@server:~#

And then reboot the client (since it boots using PXE).

Is that all? After that here is what I get:

Code:

mahmood@server:~$ ssh client
get_socket_address: getnameinfo 8 failed: Name or service not known
get_socket_address: getnameinfo 8 failed: Name or service not known
cannot get sockname for fd
ssh_keysign: no reply
key_sign failed
mahmood@client's password:

On my previous cluster I did the same. But I can not remember if any additional steps I made

EricTRA · 04-25-2011, 04:35 AM

Hi,

At first glance that seems to be all yes, except that you need to run the ssh-keysign command in my opinion. That should generate the key you need to include in your /etc/ssh/ssh_known_hosts file if I'm not mistaking. I've never set up host based authentication so walking a bit in the dark here. If you concluded that you need to test and see if you can login to the other server without providing credentials.

Kind regards,

Eric

mahmoodn · 04-25-2011, 04:39 AM

Code:

root@server:~# /usr/lib/openssh/ssh-keysign

^C
root@server:~#

I waited for a minute but did not see any message on screen so I terminated it. What is the output of that command?

I updated my previous post with the result of test however it is not working.

Hope that Reuti answer me.