I am writing a batch script to transfer files from server AA to BB without prompting for password. Already, ssh keys have been generated in BB and public key of BB has been stored in AA as part of some other project requirement. So, I thought of reusing this. I can now transfer files from AA to BB using any of the below options.
sftp from BB to AA and then "mget" the files
run scp in BB to transfer files from AA to BB
However, in both these cases, I have to connect from BB to AA. But due to some internal requirements, my script has to run only in server AA and not BB. When I try to run sftp/scp in my script in server AA, it is prompting for password. I understand that I can create SSH keys in AA and then store the public key in BB. But is there a way to avoid this since an SSH connection already exists from BB to AA.
Saw many posts in unix.com and google too. Doesn't seem to narrow down on what I need. Please assist.
Also, why is it that I am able to connect only from BB to AA and not the other way around. I am guessing this is due to some restrictions setup while creating the keys. Please clarify. Details below.
OS of both the servers:
HP-UX 11.11
public key (id_dsa.pub) in server BB:
ssh-dss............................... userid@BB
In your setup, BB is the active part, the client, and AA is sort of server. If you want the roles reversed, you'll need to generate a key pair for AA on AA and store the public key on BB. There's no way around this.
You may want to consider "centralized" authentication like e.g. kerberos, but you'd need to implement it on every single server that you want to access.
Thanks, Rudi. I hoped there was a work-around. Problem is that I have to connect from multiple servers to server BB where all files are merged. So, now I have to create public key in each of these servers and place them all in BB
Generate an SSH key pair on each client that wants to connect to AA and store the public key for each in the ~/.ssh/authorized_keys files on server AA (one on each line)
Generate a single SSH key pair on server AA and copy the private key to each client
The second option makes things slightly easier, but much more difficult to dismantle later on, should the need arise. I would strongly recommend option 1.
It's probably not preferred as if you have a security breach on one server and need to change the key-pair, it affects all the servers. It is a little more work initially, but I would always go for option 1.
