Tuesday, February 14, 2012

SSH: Auto-Login

SSH: Auto-Login

When working in a clustering environment, it is often desirable to securely move data between platforms, or even forward individual application displays securely. The SSH protocol allows for such movement, but automatic login is a requirement for automation and scripting. This can be accomplished via pre-exchanged keys.

SSH Forwarding:
To set up SSH application TCP port forwarding, view the following "Solaris 10: SSH and Forwarding HTTP" document.

SSH Auto-Login:
Several steps need to be followed to create the local public key and transfer it to the remote host:

  1. Decide which remote host will receive the "ssh" connections:
    sun9999/user$ Host="sun1234"

  2. Create a minimal permission ".ssh" directory on local host home directory
    sun9999/user$ cd ~ ; mkdir 700 .ssh

  3. Generate an key, such as as "rsa" key on the local host.
    sun9999/user$ ssh-keygen -t rsa

  4. Ensure a minimal permission ".ssh" directory exists on remote host home directory
    sun9999/user$ rsh ${Host} '[ ! -d .ssh ] && mkdir -m 700 .ssh'

  5. Copy the local "rsa" key to the ".ssh" directory on remote host: remhost
    sun9999/user$ cat .ssh/id_rsa.pub |
    rsh ${Host} 'cat >> .ssh/authorized_keys'

  6. Test the connection to the remote host, no password prompting should occur
    sun9999/user$ ssh ${Host} 'uname -n'

SSH: Auto-Login Debugging:
If password prompting is still occurring after the previous steps, one can use the "ssh -v" option in the test phase of step 6 above, in order to provide additional debugging verbosity.

A common error might be:
  • Failed to acquire GSS-API credentials for any mechanisms
    If the keys are properly created and login is still prompted for, ensure the remote host has "700" permissions on the ".ssh" directory and "755" permissions on the $HOME.

  • Password prompting for root
    By default, "ssh" will not work as the "root" user. Of course, this creates a problem when trying to forward ports which are below 1024 (i.e. http port tcp/80.) To correct:
    vi /etc/ssh/sshd_config
    PermitRootLogin yes
    svcadm restart ssh

Thoughts on Security:
Simple connectivity in a cluster can be done with the "r" tools ("rsh", "rcp", "rlogin".) Passwords are passed in the clear, when a user types them, at a prompt. Most critics advocate SSH as a more secure solution for clustering.

The "r" tools can also be set up for auto-login, in a clustered environment. This can be a reasonable alternative to the heavier "ssh" protocol, which burns CPU cycles on mandated end-to-end encryption, if data being passed is of little consequence.

Thoughts on Today's Date :
This article was published on "Saint Valentines Day" - Happy Saint Valentine's Day to you!

No comments:

Post a Comment