Task:
Create keys so that one system can access other systems by certificate rather than a user name and password:
Steps:
1. Stage:
Create the .ssh/ in the home folder if not already existing.
Create an optional working/staging folder.
$ cd ~/
$ mkdir .ssh/
$ mkdir working
$ cd working
2. Create the key pair:
$ ssh-keygen
Enter the file in which to save the key (/home/myadmin/.ssh/id_rsa): /home/myadmin/.ssh/id_rsa_myadmin
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
At this point the keys are created and information is given to their locations:
Your identification has been saved in /home/myadmin/.ssh/id_rsa_myadmin.
Your public key has been saved in /home/myadmin/.ssh/id_rsa_myadmin.pub.
The key fingerprint is:
SHA256:dd4hZzyxABCstxa7E6+Abc9Pw6alt0Oe1a2gZ512330 myadmin@MasterVM
The key's randomart image is:
+---[RSA 2048]----+
...
+----[SHA256]-----+
3. Transfer the certificate to the other remote machines to be managed:
Transfer the id_rsa_myadmin.pub to the other machines this admin ID is allowed to access via SSH.
$ ssh-copy-id myadmin@123.123.12.1
(where myadmin is your other VM login ID, and the 123.123.12.1 is the target IP)
or,
you can do the long way:
$ cat ~/.ssh/id_rsa_myadmin.pub | ssh myadmin@123.123.12.1 "mkdir -p ~/.ssh && chmod 700 ~/.ssh && cat >> ~/.ssh/authorized_keys"
After issuing either command you will see something like:
The authenticity of host '123.123.12.1 (123.123.12.1)' can't be established.
RSA key fingerprint is a1:2b:3c:45:de:56:f1:12:ab:34:cd:56:ef:78:90:12.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '123.123.12.1' (RSA) to the list of known hosts.
myadmin@123.123.12.1's password:
Enter the password in prompt.
4. Login again:
Confirm your new RSA cerificate-based login is working:
$ ssh myadmin@123.123.12.1
You should NOT be prompted for a password unless you added one in step 2 above. If so enter that password.
In the target server:
myadmin@WorkerVM:~$ sudo su
If successful, you can disable the root SSH login on the target worker servers in step 5 below.
5. Disable Root Password Login
Disable the root password login for the target servers.
If the target VM allows root login, we may want to disable root access, since we will use sudo to get root priviledges. Ubuntu servers do not enable SSH by root by default. This step can be skipped if so.
Change the PermitRootLogin to without-password:
root@WorkerVM:/home/myadmin# vi /etc/ssh/sshd_config
...
PermitRootLogin without-password
...
<esc>:wq
Finally, reload the SSH service:
root@WorkerVM:/home/myadmin# systemctl reload sshd.service
Repeat steps 3 through 5 on the rest of the Worker VMs.
________
Notes:
To use different algorithm and/or key size, we can specify it:
$ ssh-keygen -t rsa -b 4096
$ ssh-keygen -t ecdsa -b 521
Always be the user before you generate keys. For example:
$ su somebody -
<enter password>
$ cd /home/somebody/.ssh/
$ ssh-keygen...
previous page
|