password less ssh connection for more than 100 Linux servers

deep27ak · 01-30-2014, 04:51 AM

Hi everyone,

I have configured password less ssh connection for 2-3 linux servers using

Code:

#ssh-keygen -t rsa

But if I use that procedure every time I need to copy the public key to the remote server and append it inside authorized_keys file.

Is there any easier way to do it for multiple Linux servers for example 100 servers?

pan64 · 01-30-2014, 05:01 AM

you should generate keygen only once and use that for all the servers.
In my case it is stored in /home/username/.ssh and it is mounted on all the servers therefore available everywhere.

deep27ak · 01-30-2014, 05:31 AM

I couldn't understand you completely.

Q1. Will I have to generate keys for each of the Linux servers?

Q2. I didn't understood stored inside .ssh and mounted on all servers?
firstly it should be in authorized_keys inside .ssh and secondly I couldn't get the word "mounting", I mean how would you mount it on all the servers for password less ssh?

Q3. Don't I need to copy the pub key to my remote servers?

Can you please explain in a bit detail if possible with an example?

Sayajin · 01-30-2014, 07:02 AM

Well probs the easiest way that I know of would be to run the following command for each remote host

ssh-copy-id -i ~/.ssh/id_rsa.pub remote-host

that will put the key in to authorized_keys file for you so all you will need to do is type the ssh password once for each server.

deep27ak · 01-30-2014, 08:32 AM

Quote:

Originally Posted by Sayajin

Well probs the easiest way that I know of would be to run the following command for each remote host

ssh-copy-id -i ~/.ssh/id_rsa.pub remote-host

that will put the key in to authorized_keys file for you so all you will need to do is type the ssh password once for each server.

Well that is something which can be done for few servers but doing that for 100s of server does not looks appropriate. There should be some other easier way for the same

TB0ne · 01-30-2014, 10:07 AM

Quote:

Originally Posted by deep27ak

Well that is something which can be done for few servers but doing that for 100s of server does not looks appropriate. There should be some other easier way for the same

There isn't. Either you put your key on the servers, or it won't be there to use...this is just like asking "I want to log in to 100 servers, but don't want to add my user ID on each one". No ID = no login. No SSH keyswap = no passwordless-login. Simple.

You don't say what you're trying to accomplish, but if you do have hundreds of servers, do you not have tools to help you administer that many systems already???

yooden · 01-30-2014, 11:32 AM

I always consider key pairs to be bound to a person, not to a system or account. If regarded that way, the solution seems to be:
- Create a key pair (done)
- Append your public key to the target accounts' authorized_keys.

The second step, as TBOne said, is unavoidable. If you are starting fresh it could be easier to copy your public key to authorized_keys, but you would still have to do that individually for each target account.

Sayajin · 01-30-2014, 04:05 PM

The only other "automatic" way I can think of for adding the keys to each server is if they have the same username & password, the you
can use the expect command with a for loop .

anomie · 01-30-2014, 09:05 PM

Quote:

Originally Posted by deep27ak

Is there any easier way to do it for multiple Linux servers for example 100 servers?

What is the reason for doing this? The question implies a larger problem you're trying to solve, and I suspect there are better solutions than this.

For configuration management, use a tool that handles it gracefully, e.g. CFEngine, Puppet, Chef.

For executing a command on a large number of servers, use a tool that handles it gracefully, e.g. Salt.

Sayajin · 01-31-2014, 01:18 AM

Here is a script I wrote for you which if included with a for loop will do what you want

Code:

#!/bin/bash

username="root";
password="passw0rd\!";
host="nix.server.com";

/usr/bin/expect <<EOF
spawn ssh-copy-id -i id_rsa.pub $username@$host;
expect {
    "assword: " {
        send "$password\n"
        expect {
            "again."     { exit 1 }
            "expecting." { }
            timeout      { exit 1 }
        }
    }
    "(yes/no)? " {
        send "yes\n"
        expect {
            "assword: " {
                send "$password\n"
                expect {
                    "again."     { exit 1 }
                    "expecting." { }
                    timeout      { exit 1 }
                }
            }
        }
    }
}
expect EOF;
EOF

deep27ak · 01-31-2014, 04:21 AM

Quote:

Originally Posted by TB0ne

There isn't. Either you put your key on the servers, or it won't be there to use...this is just like asking "I want to log in to 100 servers, but don't want to add my user ID on each one". No ID = no login. No SSH keyswap = no passwordless-login. Simple.

You don't say what you're trying to accomplish, but if you do have hundreds of servers, do you not have tools to help you administer that many systems already???

Firstly, sir with all due respect I know that we will have to copy the pub keys to remote servers for password less ssh connection but instead of copying one by one to each one of them, is their a better way to do it was my question(of which I think you have given the answer)

I was expecting some answer with possible guidance for any script which can be used to make it simpler

Secondly as per the question you ask what I am trying to accomplish....In case I have 100 servers added to my AD reflecting all the users of my AD in all the servers. I don't want the users under my admin group to use their password every time they try to login to any of the server and also for copying files or it could be any thing. Now this is just an assuming scenario, the main focus was as I told above.

Thanks

pan64 · 01-31-2014, 04:24 AM

Is this mean all the users can log in to any of those hosts? How their home directories are set (configured). Is there a common home (shared dir) for all the hosts?

deep27ak · 01-31-2014, 04:27 AM

Thanks @Sayajin

I am not so good with scripts so it will take a bit of time for me to understand it's working completely.

even I am trying to create a script to atleast make it easier and reduce the complexity of copying multiple pub keys in different servers.

But thanks for helping

deep27ak · 01-31-2014, 04:30 AM

Quote:

Originally Posted by pan64

Is this mean all the users can log in to any of those hosts? How their home directories are set (configured). Is there a common home (shared dir) for all the hosts?

Yes, all the hosts under the same AD have the same membership of groups and users as allotted to them. The users home directory is given on AD which is same for everyone.(depends on which group they belong for eg admin, dba, developer) etc

Now same for everyone above does not means it is shared, As soon as user logs into a host his home directory is created in the default location as mentioned on AD.
The same way as it works in Windows client.

pan64 · 01-31-2014, 04:34 AM

so in this case all the users will have a .ssh dir in their homes. They should put that file (authorized_keys) into that dir and therefore it will be automatically available on all hosts.
So they should run ssh-keygen and modify that authorized_keys as it was described for themselves. (or you can do it for them one by one, or in a loop with a script).