Difference between revisions of "Passwordless SSH"
(Created page with "These instructions assume 2 ESXi servers: ESXi0 & ESXi1 Both of these servers have a datastore named '''Admin''' for Administrative stuff and a Folder named '''Utilities''' for storing useful things. You will need '''SSH client''' enabled in the built-in firewall on your ESXi hosts. *Allowing SSH & SCP between ESXi Hosts **SSH Client must be enabled in the ESXi firewall (for the outbound connection) **[https://4sysops.com/archives/how-to-open-and-close-firewall-ports-...") |
|||
(4 intermediate revisions by one other user not shown) | |||
Line 1: | Line 1: | ||
== For Linux == | |||
This needs to be done on the machine you will be SSHing '''FROM'''. | |||
*<code>ssh-keygen -t rsa</code> | |||
*<code>cat ~/.ssh/id_rsa.pub {{!}} ssh USER@OTHERLINUXBOX 'cat >> ~/.ssh/authorized_keys'</code> | |||
It is possible that <code>~/.ssh</code> does not yet exist on the target machine. If so, you'll need to create it: | |||
*<code>ssh USER@OTHERLINUXBOX 'mkdir ~/.ssh'</code> | |||
== For ESXi == | |||
These instructions assume 2 ESXi servers: ESXi0 & ESXi1 | These instructions assume 2 ESXi servers: ESXi0 & ESXi1 | ||
Line 65: | Line 76: | ||
=== ESXi to Linux === | === ESXi to Linux === | ||
Assuming you've already created your keyes in [[ | Assuming you've already created your keyes using <code>ssh-keygen</code> in [[#ESXi to ESXi{{!}}ESXi to ESXi]] | ||
*<code>cat /.ssh/id_rsa.pub {{!}} ssh USER@LINUXBOX 'cat >> ~/.ssh/authorized_keys'</code> | *<code>cat /.ssh/id_rsa.pub {{!}} ssh USER@LINUXBOX 'cat >> ~/.ssh/authorized_keys'</code> | ||
Line 73: | Line 84: | ||
=== Linux to ESXi === | === Linux to ESXi === | ||
Assuming you've already created the directory structure in [[ | Assuming you've already created the directory structure in [[#ESXi to ESXi{{!}}ESXi to ESXi]] | ||
*<code>ssh-keygen -t rsa</code> | *<code>ssh-keygen -t rsa</code> | ||
*<code>cat ~/.ssh/id_rsa.pub {{!}} ssh root@ESXi0 'cat >> /etc/ssh/keys-root/authorized_keys'</code> | *<code>cat ~/.ssh/id_rsa.pub {{!}} ssh root@ESXi0 'cat >> /etc/ssh/keys-root/authorized_keys'</code> | ||
*<code>ssh root@esxi0 "/sbin/auto-backup.sh"</code> | *<code>ssh root@esxi0 "/sbin/auto-backup.sh"</code> | ||
=== Bonus Thoughts... === | === Bonus Thoughts... === | ||
Line 95: | Line 98: | ||
hhhmmm... | hhhmmm... | ||
[[Category:Linux]] | |||
[[Category:ESXi]] | |||
[[Category:LinuxTools]] |
Latest revision as of 15:30, 3 January 2022
For Linux
This needs to be done on the machine you will be SSHing FROM.
ssh-keygen -t rsa
cat ~/.ssh/id_rsa.pub | ssh USER@OTHERLINUXBOX 'cat >> ~/.ssh/authorized_keys'
It is possible that ~/.ssh
does not yet exist on the target machine. If so, you'll need to create it:
ssh USER@OTHERLINUXBOX 'mkdir ~/.ssh'
For ESXi
These instructions assume 2 ESXi servers: ESXi0 & ESXi1
Both of these servers have a datastore named Admin for Administrative stuff and a Folder named Utilities for storing useful things.
You will need SSH client enabled in the built-in firewall on your ESXi hosts.
- Allowing SSH & SCP between ESXi Hosts
- SSH Client must be enabled in the ESXi firewall (for the outbound connection)
- How to Open and Close Firewall Ports on vmWare ESXi Hosts
ESXi to ESXi
Source: How to SSH between ESXi 6.0U2 hosts without providing a password
The following 2 sections are basically lists of Copy-Pasta commands for each server.
ESXi0
- If it doesn't exist yet, create the Utilities folder:
mkdir /vmfs/volumes/Admin/Utilities
mkdir /vmfs/volumes/Admin/Utilities/ssl
mkdir /vmfs/volumes/Admin/Utilities/ssl/ESXi1
mkdir /vmfs/volumes/Admin/Utilities/ssl/ESXi1/keys
mkdir /.ssh
cd /.ssh
/usr/lib/vmware/openssh/bin/ssh-keygen -t rsa -b 4096
- Just accept the defaults
cat id_rsa.pub | ssh root@ESXi1 'cat >> /etc/ssh/keys-root/authorized_keys'
cp /.ssh/* /vmfs/volumes/Admin/Utilities/ssl/ESXi1/keys
vi /etc/rc.local.d/local.sh
mkdir /.ssh cp /vmfs/volumes/Admin/Utilities/ssl/ESXi1/keys/* /.ssh
ESXi1
- If it doesn't exist yet, create the Utilities folder:
mkdir /vmfs/volumes/Admin/Utilities
mkdir /vmfs/volumes/Admin/Utilities/ssl
mkdir /vmfs/volumes/Admin/Utilities/ssl/ESXi0
mkdir /vmfs/volumes/Admin/Utilities/ssl/ESXi0/keys
mkdir /.ssh
cd /.ssh
/usr/lib/vmware/openssh/bin/ssh-keygen -t rsa -b 4096
- Just accept the defaults
cat id_rsa.pub | ssh root@ESXi0 'cat >> /etc/ssh/keys-root/authorized_keys'
cp /.ssh/* /vmfs/volumes/Admin/Utilities/ssl/ESXi0/keys
vi /etc/rc.local.d/local.sh
mkdir /.ssh cp /vmfs/volumes/Admin/Utilities/ssl/ESXi0/keys/* /.ssh
On Both Servers
chmod +t /etc/ssh/keys-root/authorized_keys
vi /etc/ssh/sshd_config
- (Ensure the following items are in the file)
PermitRootLogin yes UsePAM yes # only use PAM challenge-response (keyboard-interactive) PasswordAuthentication no
/etc/init.d/SSH restart
/sbin/auto-backup.sh
At this point, you should be able to SSH from one to the other without needing to enter a password.
Troubleshooting SSH on ESXi
If you get "ssh: connect to host WHATEVER port 22: Connection timed out" when trying to SSH from an ESXi host, double check the configuration of SSH Client in the servers Firewall Rules.
ESXi to Linux
Assuming you've already created your keyes using ssh-keygen
in ESXi to ESXi
cat /.ssh/id_rsa.pub | ssh USER@LINUXBOX 'cat >> ~/.ssh/authorized_keys'
It is possible that ~/.ssh
does not yet exist on the target machine. If so, you'll need to create it:
ssh USER@LINUXBOX 'mkdir ~/.ssh'
Linux to ESXi
Assuming you've already created the directory structure in ESXi to ESXi
ssh-keygen -t rsa
cat ~/.ssh/id_rsa.pub | ssh root@ESXi0 'cat >> /etc/ssh/keys-root/authorized_keys'
ssh root@esxi0 "/sbin/auto-backup.sh"
Bonus Thoughts...
I can't see any reason these instructions couldn't be used to provide passwordless SSH to a remote ESXi server with a weird port number for SSH... (HINT: Works just fine...)
& since SCP runs over SSH...
Could be used for automatically copying backups to/from an offsite server...
hhhmmm...