Difference between revisions of "Passwordless SSH"

From Da Nerd Mage Wiki
Jump to navigation Jump to search
(Created page with "These instructions assume 2 ESXi servers: ESXi0 & ESXi1 Both of these servers have a datastore named '''Admin''' for Administrative stuff and a Folder named '''Utilities''' for storing useful things. You will need '''SSH client''' enabled in the built-in firewall on your ESXi hosts. *Allowing SSH & SCP between ESXi Hosts **SSH Client must be enabled in the ESXi firewall (for the outbound connection) **[https://4sysops.com/archives/how-to-open-and-close-firewall-ports-...")
 
 
(4 intermediate revisions by one other user not shown)
Line 1: Line 1:
== For Linux ==
This needs to be done on the machine you will be SSHing '''FROM'''.
*<code>ssh-keygen -t rsa</code>
*<code>cat ~/.ssh/id_rsa.pub {{!}} ssh USER@OTHERLINUXBOX 'cat &gt;&gt; ~/.ssh/authorized_keys'</code>
It is possible that <code>~/.ssh</code> does not yet exist on the target machine. If so, you'll need to create it:
*<code>ssh USER@OTHERLINUXBOX 'mkdir ~/.ssh'</code>
== For ESXi ==
These instructions assume 2 ESXi servers: ESXi0 & ESXi1
These instructions assume 2 ESXi servers: ESXi0 & ESXi1


Line 65: Line 76:


=== ESXi to Linux ===
=== ESXi to Linux ===
Assuming you've already created your keyes in [[ESXi - Passwordless SSH#ESXi to ESXi{{!}}ESXi to ESXi]]
Assuming you've already created your keyes using <code>ssh-keygen</code> in [[#ESXi to ESXi{{!}}ESXi to ESXi]]


*<code>cat /.ssh/id_rsa.pub {{!}} ssh USER@LINUXBOX 'cat &gt;&gt; ~/.ssh/authorized_keys'</code>
*<code>cat /.ssh/id_rsa.pub {{!}} ssh USER@LINUXBOX 'cat &gt;&gt; ~/.ssh/authorized_keys'</code>
Line 73: Line 84:


=== Linux to ESXi ===
=== Linux to ESXi ===
Assuming you've already created the directory structure in [[ESXi - Passwordless SSH#ESXi to ESXi{{!}}ESXi to ESXi]]
Assuming you've already created the directory structure in [[#ESXi to ESXi{{!}}ESXi to ESXi]]


*<code>ssh-keygen -t rsa</code>
*<code>ssh-keygen -t rsa</code>
*<code>cat ~/.ssh/id_rsa.pub {{!}} ssh root@ESXi0 'cat &gt;&gt; /etc/ssh/keys-root/authorized_keys'</code>
*<code>cat ~/.ssh/id_rsa.pub {{!}} ssh root@ESXi0 'cat &gt;&gt; /etc/ssh/keys-root/authorized_keys'</code>
*<code>ssh root@esxi0 "/sbin/auto-backup.sh"</code>
*<code>ssh root@esxi0 "/sbin/auto-backup.sh"</code>
=== Linux to Linux ===
*<code>ssh-keygen -t rsa</code>
*<code>cat ~/.ssh/id_rsa.pub {{!}} ssh USER@OTHERLINUXBOX 'cat &gt;&gt; ~/.ssh/authorized_keys'</code>
It is possible that <code>~/.ssh</code> does not yet exist on the target machine. If so, you'll need to create it:
*<code>ssh USER@OTHERLINUXBOX 'mkdir ~/.ssh'</code>


=== Bonus Thoughts... ===
=== Bonus Thoughts... ===
Line 95: Line 98:


hhhmmm...
hhhmmm...
[[Category:Linux]]
[[Category:ESXi]]
[[Category:LinuxTools]]

Latest revision as of 15:30, 3 January 2022

For Linux

This needs to be done on the machine you will be SSHing FROM.

  • ssh-keygen -t rsa
  • cat ~/.ssh/id_rsa.pub | ssh USER@OTHERLINUXBOX 'cat >> ~/.ssh/authorized_keys'

It is possible that ~/.ssh does not yet exist on the target machine. If so, you'll need to create it:

  • ssh USER@OTHERLINUXBOX 'mkdir ~/.ssh'

For ESXi

These instructions assume 2 ESXi servers: ESXi0 & ESXi1

Both of these servers have a datastore named Admin for Administrative stuff and a Folder named Utilities for storing useful things.

You will need SSH client enabled in the built-in firewall on your ESXi hosts.

ESXi to ESXi

Source: How to SSH between ESXi 6.0U2 hosts without providing a password

The following 2 sections are basically lists of Copy-Pasta commands for each server.

ESXi0

  • If it doesn't exist yet, create the Utilities folder:
    • mkdir /vmfs/volumes/Admin/Utilities
  • mkdir /vmfs/volumes/Admin/Utilities/ssl
  • mkdir /vmfs/volumes/Admin/Utilities/ssl/ESXi1
  • mkdir /vmfs/volumes/Admin/Utilities/ssl/ESXi1/keys
  • mkdir /.ssh
  • cd /.ssh
  • /usr/lib/vmware/openssh/bin/ssh-keygen -t rsa -b 4096
    • Just accept the defaults
  • cat id_rsa.pub | ssh root@ESXi1 'cat >> /etc/ssh/keys-root/authorized_keys'
  • cp /.ssh/* /vmfs/volumes/Admin/Utilities/ssl/ESXi1/keys
  • vi /etc/rc.local.d/local.sh
mkdir /.ssh
cp /vmfs/volumes/Admin/Utilities/ssl/ESXi1/keys/* /.ssh

ESXi1

  • If it doesn't exist yet, create the Utilities folder:
    • mkdir /vmfs/volumes/Admin/Utilities
  • mkdir /vmfs/volumes/Admin/Utilities/ssl
  • mkdir /vmfs/volumes/Admin/Utilities/ssl/ESXi0
  • mkdir /vmfs/volumes/Admin/Utilities/ssl/ESXi0/keys
  • mkdir /.ssh
  • cd /.ssh
  • /usr/lib/vmware/openssh/bin/ssh-keygen -t rsa -b 4096
    • Just accept the defaults
  • cat id_rsa.pub | ssh root@ESXi0 'cat >> /etc/ssh/keys-root/authorized_keys'
  • cp /.ssh/* /vmfs/volumes/Admin/Utilities/ssl/ESXi0/keys
  • vi /etc/rc.local.d/local.sh
mkdir /.ssh
cp /vmfs/volumes/Admin/Utilities/ssl/ESXi0/keys/* /.ssh

On Both Servers

  • chmod +t /etc/ssh/keys-root/authorized_keys
  • vi /etc/ssh/sshd_config
  • (Ensure the following items are in the file)
PermitRootLogin yes
UsePAM yes
# only use PAM challenge-response (keyboard-interactive)
PasswordAuthentication no
  • /etc/init.d/SSH restart
  • /sbin/auto-backup.sh

At this point, you should be able to SSH from one to the other without needing to enter a password.

Troubleshooting SSH on ESXi

If you get "ssh: connect to host WHATEVER port 22: Connection timed out" when trying to SSH from an ESXi host, double check the configuration of SSH Client in the servers Firewall Rules.

ESXi to Linux

Assuming you've already created your keyes using ssh-keygen in ESXi to ESXi

  • cat /.ssh/id_rsa.pub | ssh USER@LINUXBOX 'cat >> ~/.ssh/authorized_keys'

It is possible that ~/.ssh does not yet exist on the target machine. If so, you'll need to create it:

  • ssh USER@LINUXBOX 'mkdir ~/.ssh'

Linux to ESXi

Assuming you've already created the directory structure in ESXi to ESXi

  • ssh-keygen -t rsa
  • cat ~/.ssh/id_rsa.pub | ssh root@ESXi0 'cat >> /etc/ssh/keys-root/authorized_keys'
  • ssh root@esxi0 "/sbin/auto-backup.sh"

Bonus Thoughts...

I can't see any reason these instructions couldn't be used to provide passwordless SSH to a remote ESXi server with a weird port number for SSH... (HINT: Works just fine...)

& since SCP runs over SSH...

Could be used for automatically copying backups to/from an offsite server...

hhhmmm...