We have a number of linux clusters running Oracle. The clusters require that all member nodes have promptless/passwordless login through ssh (ie. the keys were created with null passphrases). We also have a management server that is not a member of any cluster but routinely connects to nodes of all clusters to perform maintenance activities, deploy scripts etc.
Currently, we have not added the management server's key to any of the authorized key files as unrestricted access to all cluster nodes is undesirable. Therefore, whenever the management node attempts to ssh into a cluster node, we are prompted for a password. Since some scripts make multiple secure calls to multiple nodes, we end up typing a lot of passwords...
I would like to enable some form of session-level passwordless login (through ssh-agent?), without removing promptless/passwordless login between nodes of a cluster and without granting unrestricted access to all nodes from the management server. Ideally, when executing a script that includes multiple secure calls to multiple nodes, we would only enter the password/passphrase once for each node.
Is this possible?
Do you mean ssh access sometimes w/key and sometimes wo/key from the same account and node?
No. You cannot decide to turn/off/on passwordless key for some jobs and not others for one single account. Access is on a per user account basis, not per job.
You should consider creating protected key-only account(s), and grant only certain users sudo to that account(s). Which is akin to your idea of 'session-level'
You could also create one or more remote ssh-only account, example dummy, then give the keys to certain users and not others. Those with the key can go in with
ssh dummy@somenode
You can create different remote user accounts which are job specific, granting code access by chrooting each account and having links in /usr/bin (or wherever) that give access only to the code/scripts needed to run just that job.
Well, I mean ssh access sometimes w/key and sometimes wo/key TO the same account and node.
The username on all nodes is the same ("oracle"). What I want is passwordless login from other nodes within the cluster but password login from any other server outside the cluster.
e.g.:
oracle@clusternode1# ssh clusternode2
<no password>
oracle@someotherserver# ssh clusternode2
<prompt for password>
I want oracle@clusternode2 to allow all other oracle@clusternode's passwordless login. oracle user's on all other servers must specify a password once per session.
Take a look at ssh-agent. It's part of openssh. Here's info:
Manual Pages: ssh-agent(1)
I've never used it but I've read up on it a couple times. I'm pretty sure it'll give you exactly what you're looking for.
MG