When you generate the keys, they're for a particular user on a particular box (if you look at one of the public key files, it's in the form of
user@server). And, yeah, it's kind of a pain to get all that set up (but it's a one-time thing until you have to regenerate the system keys with a new or possibly updated installation). Your node[2-x] users can copy the public key from node1 (if they're all logging in on node1 as the same user, that is -- otherwise it's one-by-one). The individual user's
~/.ssh directory should be mode 0600, owned by the user, group the default group for that user (something like
users in many cases); that's what it's
supposed to be and YMMV as in all things. The individual files in that directory are mode 0644
except the
id_rsa file which is mode 600; the user owns the files, the group is the default user group.
The thing you have to do is get all the users' public key files into the
authorized_keys file on every server they need access to (so that goes both ways server-to-server) to accomplish the no-password goal. It seem to me that you can copy all the public key files into one kind-of "master"
authorized_keys and copy that to all users'
authorized_keys; I'm not sure that it matters if a particular server is authorized to connect to itself (never tried it, don't know).
Anyway, give it a shot and see what happens -- worst case, you'd have to have folks delete some lines from the
authorized_keys file, eh?
Hope this helps some.
[EDIT]
Your
/etc/host file contains entries of this form to make your life a little easier
Code:
192.168.1.1 server.domain server
That way, you only need to refer to the server name without the domain name.