Password-less SSH for Users
From Debian Clusters
Contents |
Background
Any applications run with MPICH: Parallel Programming over multiple machines will need to be able to communicate amongst the machines while running on behalf of a user. This means that users need to be able to SSH into and amongst the worker nodes without being prompted for a password. This can be set up after the nodes are imaged, but it's much easier to do this ahead of time.
Setting up Password-less SSH for Current Users
This is easy to do on an NFS-mounted file system. Become the user and run
ssh-keygen
When prompted for a location, keep the default location. Similarly, hit Enter without entering a passphrase twice when prompted. This will create two new files in the directory .ssh in that user's home directory: their private key (id_rsa) and their public key (id_rsa.pub). Cd into the new .ssh directory.
Next, a file named authorized_keys2 needs to be created. This file is responsible for who can SSH into this machine as this user without a password. The user's public key needs to be added to this file. Do this with
cat id_rsa.pub >> authorized_keys2
Finally, the permissions on authorized_keys2 need to be modified so that only the user can read the file. This is done with
chmod 600 authorized_keys2
At this point, as the user, you should be able to
ssh localhost
and not be prompted for a password. If you're prompted for a password, make sure the right file was copied into authorized_keys and that the permissions are correct.
Script for all Current Users
Rather than becoming each user one at a time and doing this by hand, the process can be scripted. As root, copy the below into a text file, and change the value of homeDirs to be correct for your setup. (homeDirs is the directory on your mounted file system where the user directories are stored.)
#!/bin/bash
# This script will create an SSH key for each existing user and create
# an authorized_keys file with their public key.
# Directory containing user home directories
homeDirs=/shared/home
for x in `ls $homeDirs`; do
echo Creating SSH key for $x...
if [[ -e $homeDirs/$x/.ssh/id_rsa.pub ]]; then
echo "$x already has a public key"
else
su $x -c "ssh-keygen -N \"\""
fi
cat $homeDirs/$x/.ssh/id_rsa.pub >> $homeDirs/$x/.ssh/authorized_keys
chown $x:$x $homeDirs/$x/.ssh/authorized_keys
chmod 600 $homeDirs/$x/.ssh/authorized_keys
done
Change the script to be executable with
chmod u+x <whatever you named it
Then, run the script with
./<whatever you named it
You'll be prompted as to where to put the files for each user. (I didn't invest the time to fully figure that out and script it, sorry!) Just hit enter and keep the default each time.
Password-Less SSH for Future Users
Ideally, this script could be set to run every time a new user account is created. I haven't yet figured out how to do that (if you have an idea, please e-mail me at kwanous <at> debianclusters <dot> org). Still, the above can be changed to an interactive script that takes a username to create an SSH key for, and you can run it whenever you create a new user.
Again, you'll need to change it to be executable and also correct the value of homeDirs.
#!/bin/bash # Creates an SSH key and an authorized_keys file for # a username given as an argument. # Directory containing user home directorys homeDirs=/home/shared if ! [[ "$1" ]] then echo "Usage: ./sshauthhostkeygen username" exit 1 fi x=`echo $1` echo Creating SSH key for $x... if ! id $x > /dev/null 2>&1 then echo $x is not a valid user. exit 1 fi if ! [[ -e $homeDirs/$x ]]; then echo $x does not have a home directory. exit 1 fi if [[ -e $homeDirs/$x/.ssh/id_rsa.pub ]]; then echo "$x already has a public key" else su $x -c "ssh-keygen -N \"\"" fi cat $homeDirs/$x/.ssh/id_rsa.pub >> $homeDirs/$x/.ssh/authorized_keys chown $x:$x $homeDirs/$x/.ssh/authorized_keys chmod 600 $homeDirs/$x/.ssh/authorized_keys
Preventing Logins
While this is necessary for processes running on behalf of the user, users probably shouldn't be able to do code development and other tasks on the worker nodes themselves. To prevent shell logins (other than root), just run
touch /etc/nologin
You'll still be able to SSH in as root and then su to that user.
