Simple procedure for setting up private key authentication between two hosts (Linux or Unix). This is one of the necessary steps during the preparation of Oracle RAC nodes, the oracle account must be able to ssh between nodes without providing a password.
1. Generate the private and public key pair in your local machine, your desktop machine or server where you will be connecting to other hosts:
ssh-keygen -t rsa
pass-phrase: xxxxxx
# pass-phrase is optional, press enter for no pass-phrase
That generates two files in the directory ~/.ssh ( where ~ = user's home directory )
id_rsa <- Your private key, don't share
id_rsa.pub <- Your public key
Keep those two files in ~/.ssh
2. Copy your public key id_rsa.pub to the remote system, in the account's home directory you will be using to log into that system:
scp id_rsa.pub remote.host:tempkey
3. Log into the remote host and include your public key in the authorized_keys file:
If the hidden directory .ssh does not exist, create it and set the right permissions first:
ssh remote.host
mkdir .ssh
chmod 700 .ssh
If it was there already, just add the key and set permissions on the file:
cat tempkey >> .ssh/authorized_keys
chmod 700 .ssh/authorized_keys
rm tempkey
That will create the authorized_keys file if it does not exist already and add your key to the list of authorized keys for this account, there could be more than one listed in this file.
4. Exit back to the source server (where your private key is) and try logging into the remote server again, if everything is setup properly, and you did not provide a pass-phrase when creating the keys, you should get the prompt in the remote system without providing the remote account's password, usually there is message about successful private key authentication.
Notes
This functionality is enabled in most servers by default but can be disabled by the system admin in /etc/sshd.conf
These commands assume you are using the same account on both servers (same UID).
Important: Setting up this type of authentication without a pass-phrase is insecure and should only be done between trusted systems, not on systems accessible on the public network.
No comments:
Post a Comment