I'm putting this up just for the sake of having the info out there on the web, since I had such a pain trying to find this myself.
This is the process (and associated caveats) I had to go through in order to enable ssh2 login between machines without a password prompt. This document specifically applies to AIX 5.2, but there are some (possibly)OS-related syntactical differences in the "Observations" section below.
1. Overview:
a. Run ssh-keygen2 and create the public/private key pair on the LOCAL machine.
b. Create a machine-independent copy of the public key for distribution to the REMOTE machines on which the commands are to be executed.
c. Create and configure the $USERID_HOME/.ssh2/identification file on the LOCAL machine to enable public/private keypair authentication locally.
d. Create and configure the $USERID_HOME/.ssh2/authentication file on the REMOTE machine to enable public/private keypair authentication remotely.
If everything above is done correctly, one should be able to logon to the REMOTE machine from the LOCAL using:
ssh2 $REMOTE_HOSTNAME
2. Details
From the machine from which the commads will be invoked for remote execution (The LOCAL machine):
a. ssh-keygen2 -P (The "-P" switch forces a password-free keypair. This may take many minutes. )
This will create the following files in the $USERID_HOME/.ssh2 directory:
id_dsa_2048_a.pub (public key, to be copied remotely)
id_dsa_2048_a (private key, do not copy externally)
b. Copy PUBLIC_KEY_FILE, (id_dsa_2048_a.pub) to a remotely unique filename:
Public standards would suggest the following naming convention:
$LOCAL_HOSTNAME.USER_ID.key.pub ( in my case: server1.jadmin.key.pub )
c. Create the identification file on the LOCAL machine and enter the following value to enable private key authentication locally:
IdKey id_dsa_2048_a (Note that this is the private key, not the public key, also note the capital "I" and "K" in "idkey")
d. Use some filetransfer protocol to distribute the PUBLIC_KEY_FILE to the REMOTE machine's $USERID_HOME/.ssh2 directory:
scp server1.wsadmin.key.pub server2:/home/jadmin/.ssh2/ (in my case, or SFTP would work as well)
e. Create the authorization file on the REMOTE machine, and add the following line:
Key $PUBLIC_KEY_FILE ( Key server1.jadmin.key.pub in my case, note the capital "K" in key)
At this point, you should now be able to ssh2 to the REMOTE machine from the LOCAL machine without a password prompt.
Any existing REMOTE scripts should now be executable from the LOCAL machine without a password prompt using the following syntax:
ssh2 REMOTE_HOSTNAME REMOTE_ABSOLUTE_FILE_LOCATION (ssh2 server2 /home/jadmin/SCRIPTS/testscript.sh)
3. Observations and Other Finicky Bits:
1. For the identification and authorization, capitalization appears to be key. Key PUBLIC_KEY_FILE and IdKey PRIVATE_KEY_FILENAME require capital "K" and "I"&"K" respectively. Although some documentation seems to *not* use caps...presumably this is either a typo or an OS-related thing.
2. Some instructions I found call for REMOTE file: ~/.ssh/authorized_keys2, whereas other sources are looking for ~/.ssh2/authorization file, which worked for me.
3. Once you have created the PUBLIC_KEY_FILE, you can rename it without any hash value concerns, since the contents are independent of the filename.
**UPDATE**(2006-04-28) Alternately, this guy has another technique.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment