Setup multiple passwordless authentication

Lancel0t · January 13, 2010, 11:59am

I have experience in setting up passwordless authentication by sharing ssh public keys manually.Currently I am in the process to the write a script to perform the same functionality from one source(host) to multiple destinations.
I have one source host (Host A) whose public keys has to be shared across many servers(Host B/C/D etc) to enable passwordless authentication and the new destination hosts are added every week.

This willl help us in running another script from the Host A which connects to all the destination servers and downloads statistics of those machines.

is there any perl module or shell command which can help me in achieving the same.

I did search the internet/forum and found no/little help .

Thanks.

frans · January 13, 2010, 4:05pm

If i understand it right, something like :

KEY="~/.ssh/id_dsa.pub"
[ -f $KEY ] || ssh-keygen -t dsa
for SERVER in $LIST_OF_SERVERS
do
    ssh-copy-id -i $KEY $USERNAME@$SERVER
done

Lancel0t · January 14, 2010, 8:19am

Thanks frans.

What exactly does the ssh-copy-id command do ? I cannot find this command in my linux box which is the source machine.
How this copy-id command will work as there are no keys shared between the servers (source/destination) ?

frans · January 14, 2010, 8:56am

I can't explain it better than there : man ssh-copy-id - install your identity.pub in a remote machine's authorized_keys

Lancel0t · January 14, 2010, 10:48am

Thanks..I did google about the command .

I am not sure whether this would help me in setting up passwordless authentication between one source and multiple destination.

If I am not wrong, it would still require the passwords of the destination machines while running this script.

Correct me if Iam wrong.

Corona688 · January 14, 2010, 10:58am

ssh-copy-id does nothing other than what you've been doing already: add your keys to another login's .ssh/authorized_keys. Once that's accomplished, you will no longer need to use a password when logging into these logins using your key.

If you were hoping you could login through ssh without a password before this is actually set up, you're out of luck. Until the keys are actually set up it will of course require a password. And that's a good thing -- if you could add keys completely unauthorized, so could anyone else!

frans · January 14, 2010, 11:00am

Hopefully it would ! But the password is only required for the key copy, afterwards you won't need any password authentication for the server where you copied the key.
The only other way would be to transfer the key (and set appropriate permissions) from an USB key hard-plugged on the server

Lancel0t · January 14, 2010, 11:09am

I am aware that by adding the id_dsa.pub key to authorized_keys will enable passwordless authentication.
But my goal is to add this public key to the authorized_keys by using a script and without supplying any passwords.

Corona688 · January 14, 2010, 11:10am

If you could do that with no authorization whatsoever, so could anyone else in the universe with a net connection.

If it's the same password for every server, the 'expect' tool/language might help type it in for you over and over... scripting passwords like that is of course a bad habit but for a one time thing seems doable.

Lancel0t · January 14, 2010, 12:03pm

I was confident that my requirements cannot be met but still wanted to explore if there were any other options . Thanks for your replies & comments folks.