I am attempting to set up password-less ssh for a Solaris 10 cluster and am almost successful, but there is one node that is being a stinker (node1). What I did was:

on each node and then copied all of the .pub files to a directory on node1, including the .pub file from node1. I then did:

and copied that file to each of the nodes. I can go from node1 to node2, or node1 to node3, etc just fine without a password, and from all the other nodes to and fro without a problem, but if I try to go from any node to node1, I am still prompted for a password. I have deleted all pubs and regenerated the keys several times in attempts to start over from scratch and still the same problem exists.

Anyone have any ideas?

Tron

When you generated the keys on node1, you simply hit the carriage return to the passphrase question and wound up with two key files, id_rsa and id_rsa.pub in the ~/.ssh directory, that about right? Then you generated individual keys on every other server and you copied the node1 id_rsa.pub file to ~/.ssh/authorized_keys on nodes[2-x]; that allowed node1 to get to those machines without a password. Then you appended the individual id_rsa.pub files from nodes[2-x] to the ~/.ssh/authorized_keys file on node1. That would allow nodes[2-x] to connect to node1 without a password. And you stopped an restarted SSH on node1 after doing all this?

That ought to work fine (one thing I do is, on individual servers, is copy the id_rsa.pub file to the name of the server which makes it a little easier to copy those key files all over the place, but whatever works, works).

You can also add a ~/.ssh/config file (to all nodes that need access to one another).
Hope this helps some.

Do you know that the problem has to do with the key?
One thing to check is the permissions of the files in .ssh and the .ssh directory and home directory.

I always add "AllowUsers" to sshd_config. I had a problem one time and because the host part had "hostname" while /etc/hosts had "hostname.domainname". Adding the domain name part to the AllowUsers entry fixed the problem.

Try to connect with the "-vv" option. That will provide more debugging messages on the client.
Check for any kernel messages on both sides.

Wow, that was it. node1 had write permissions for owner and group and the other nodes did not. I chmod'ed it on node1 and all is well. I'm pretty sure I looked at that before, but thought to myself "Why would additional permissions be a problem?"

Thanks for your help.

That is precisely the purpose of StrictModes (in sshd_config). It makes sure you haven't enabled overly liberal permissions.

Thank you everyone for the help. I have several users of this cluster and am thinking that it will be quite a labor intensive process to do all of these steps for each user. I am wondering if any of the things that I have set up for my username can be just copied into the other users .ssh directories and have it work for the for password-less ssh. It seems that the authorized_keys all have my username in them, so I'm guessing that there might be some difficulty. Can the known_hosts file at least be copied?

Is a script the best way to do this? (generating the ssh key, copying to one location, creating authorized_keys, copying back to the nodes).

I do not share home directories across the cluster (at this point). Would that make anything easier? not matter?

Tron

When you generate the keys, they're for a particular user on a particular box (if you look at one of the public key files, it's in the form of user@server). And, yeah, it's kind of a pain to get all that set up (but it's a one-time thing until you have to regenerate the system keys with a new or possibly updated installation). Your node[2-x] users can copy the public key from node1 (if they're all logging in on node1 as the same user, that is -- otherwise it's one-by-one). The individual user's ~/.ssh directory should be mode 0600, owned by the user, group the default group for that user (something like users in many cases); that's what it's supposed to be and YMMV as in all things. The individual files in that directory are mode 0644 except the id_rsa file which is mode 600; the user owns the files, the group is the default user group.

The thing you have to do is get all the users' public key files into the authorized_keys file on every server they need access to (so that goes both ways server-to-server) to accomplish the no-password goal. It seem to me that you can copy all the public key files into one kind-of "master" authorized_keys and copy that to all users' authorized_keys; I'm not sure that it matters if a particular server is authorized to connect to itself (never tried it, don't know).

Anyway, give it a shot and see what happens -- worst case, you'd have to have folks delete some lines from the authorized_keys file, eh?

Hope this helps some.

[EDIT]
Your /etc/host file contains entries of this form to make your life a little easier
That way, you only need to refer to the server name without the domain name.