Blog

Saturday, July 27, 2013

Passwordless root SSH Public Key Authentication on CentOS 6

It's often useful to be able to SSH to other machines without being prompted for a password. Additionally, if you using tools such as Parallel SSH you will need to setup Public Key SSH Authentication. To set it up is relatively straight forward:

On the client machine (ie. the one you are SSH'ing from) you will need to create an SSH RSA key. So run the following command - ensure you don't supply a password:

[root@node01 ~]# ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Created directory '/root/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
c6:66:93:16:73:0b:bf:46:46:28:7d:a5:38:a3:4d:6d root@node01
The key's randomart image is:
+--[ RSA 2048]----+
|            .    |
|       . + o     |
|      . @ E      |
|       * & .     |
|      . S =      |
|       = + .     |
|          o      |
|         .       |
|                 |
+-----------------+

This will generate the following files:

[root@node01 ~]# cd ~/.ssh
[root@node02 .ssh]# ls -l
total 8
-rw-------. 1 root root 1675 Jul 27 15:01 id_rsa
-rw-r--r--. 1 root root  406 Jul 27 15:01 id_rsa.pub

On the client machine tighten up file system permissions thus:

[root@node01 ~]# chmod 700 ~/.ssh
[root@node01 ~]# chmod 600 ~/.ssh/*
[root@node01 ~]# ls -ld ~/.ssh & ls -l ~/.ssh
drwx------. 2 root root 4096 Jul 27 15:01 /root/.ssh
-rw-------. 1 root root 1675 Jul 27 15:01 id_rsa
-rw-------. 1 root root  406 Jul 27 15:01 id_rsa.pub

Now copy the public key to the machine you want to SSH and fix permissions (you will be prompted for the root password):

[root@node01 ~]# ssh root@node02 'mkdir -p /root/.ssh'
[root@node01 ~]# scp /root/.ssh/id_rsa.pub root@node02:/root/.ssh/authorized_keys
[root@node01 ~]# ssh root@node02 'chmod  700 /root/.ssh'
[root@node01 ~]# ssh root@node02 'chmod  600 /root/.ssh/*'

You can also use the utility ssh-copy-id to do the above steps. If you don't have scp on the remote machine you will need to install it:

[root@node01 ~]# ssh root@node02 'yum install openssh-clients'

You should now be able to ssh directory from node01 to node02 without providing a password:

[root@node01 ~]# ssh node02
Last login: Wed Jul 27 15:41:56 2011 from 10.255.5.57
[root@node ~]#

IMPORTANT There is a bug in CentOS 6 / SELinux that results in all client presented certificates to be ignored when SELinux is set to Enforcing. To fix this simply:

[root@node01 ~]# ssh root@node02 'restorecon -R -v /root/.ssh'
restorecon reset /root/.ssh context system_u:object_r:ssh_home_t:s0->system_u:object_r:home_ssh_t:s0
restorecon reset /root/.ssh/authorized_keys context unconfined_u:object_r:ssh_home_t:s0->system_u:object_r:home_ssh_t:s0
Comments
15-Jul-2014 10:28 AM - Anonymous
the only guide that actually worked! i think i was effected by that bug! thanks a whole bunch




Captcha Image

Recent Posts


Tags


Archive

Sign up for Product Updates and Discounts
Captcha Image
×