Mudanças entre as edições de "Minicluster:Ssh"
m (→Setando SSH sem senha para usuários atuais) |
m (→ssh-keygen: password-less SSH login) |
||
Linha 130: | Linha 130: | ||
==ssh-keygen: password-less SSH login== | ==ssh-keygen: password-less SSH login== | ||
− | |||
− | + | === via .rhosts === | |
+ | Uma maneira é criar o arquivo .rhosts com o nome do sistema remoto e usuário que você confia: | ||
+ | [user] vi .rhosts | ||
+ | outra.maquina.net usuario | ||
+ | .. | ||
+ | [user] chmod 600 .rhosts | ||
+ | Assim o usuario pode ser conectar de outra.maquina.net sem usar a senha. | ||
− | + | Mas, o SSH deve ser configurado para confiar em .rhosts (que não é o padrão), e o par de chaves privada/pública de cada sistema deve ser propriamente setado no arquivo de chaves públicas ssh_known_hosts. | |
− | + | === Método 2=== | |
− | + | Não requer .rhosts e nem administrador. Requer apenas que você gere um par de chaves pública/privada. | |
− | |||
− | |||
− | |||
− | |||
ssh-keygen is used to generate that key pair for you. Here is a session where your own personal private/public key pair is created: | ssh-keygen is used to generate that key pair for you. Here is a session where your own personal private/public key pair is created: | ||
Linha 177: | Linha 178: | ||
The example shown here generated keys on sodium by user cantin. If the public key generated, file .ssh/id_rsa.pub, was copied to your account, file .ssh/authorized_keys on nickel.sao.nrc.ca, then user cantin@sodium is allowed to SSH into your own account on nickel.sao.nrc.ca without the use of a password. | The example shown here generated keys on sodium by user cantin. If the public key generated, file .ssh/id_rsa.pub, was copied to your account, file .ssh/authorized_keys on nickel.sao.nrc.ca, then user cantin@sodium is allowed to SSH into your own account on nickel.sao.nrc.ca without the use of a password. | ||
− | To summarize, a personal private/public key pair is generated using the ssh-keygen command. The public key is then copied onto a remote systems' .ssh/authorized_keys file. And you can now SSH to the remote systems's account without the use of a password. | + | To summarize, a personal private/public key pair is generated using the ssh-keygen command. The public key is then copied onto a remote systems' .ssh/authorized_keys file. And you can now SSH to the remote systems's account without the use of a password. |
==Veja também== | ==Veja também== |
Edição das 15h20min de 1 de julho de 2010
Programas rodando com MPICH sobre várias máquinas precisam se comunicar com outras máquinas como se fossem o próprio usuário. Isto significa que o usuário precisa estar apto a se conectar com SSH nas máquinas escravo sem usar senha.
Importante: As permissões do arquivo tem que ser 600. Talvez umas configurações extras para /etc/hosts
Índice
Setando SSH sem senha para usuários atuais
Em uma máquina com NFS isto é fácil (não o caso ainda). Conecte-se como o usuário e rode
[usuario@one] $ ssh usuario@cell100 (será pedido senha) [usuario@cell100] $ ssh-keygen
- Tecle enter para confirmar o arquivo
.ssh/id_rsa
- Tecle Enter sem uma senha 2 vezes quando perguntado. Isto criará dois novos arquivos no diretório
/home/usuario/.ssh
: sua chave privada (id_rsa) e sua chave pública (id_rsa.pub).
[usuario@cell100] $ cd .ssh [usuario@cell100] $ ls
Crie um arquivo chamado authorized_keys
. Este arquivo é responsável por dizer quem é permitido SSH nesta máquina como este usuário e sem senha. A chave pública precisa ser adicionada neste arquivo
cat id_rsa.pub >> authorized_keys
A permissão deve ser somente para o usuário:
chmod 600 authorized_keys
Neste ponto, você deveria estar apto a logar-se sem senha na própria máquina
ssh localhost
Script for all Current Users
Rather than becoming each user one at a time and doing this by hand, the process can be scripted. As root, copy the below into a text file, and change the value of homeDirs
to be correct for your setup. (homeDirs
is the directory on your mounted file system where the user directories are stored.)
#!/bin/bash # This script will create an SSH key for each existing user and create # an authorized_keys file with their public key. # Directory containing user home directories homeDirs=/shared/home for x in `ls $homeDirs`; do echo Creating SSH key for $x... if [[ -e $homeDirs/$x/.ssh/id_rsa.pub ]]; then echo "$x already has a public key" else su $x -c "ssh-keygen -N \"\"" fi cat $homeDirs/$x/.ssh/id_rsa.pub >> $homeDirs/$x/.ssh/authorized_keys chown $x:$x $homeDirs/$x/.ssh/authorized_keys chmod 600 $homeDirs/$x/.ssh/authorized_keys done
Change the script to be executable with
chmod u+x <whatever you named it
Then, run the script with
./<whatever you named it
You'll be prompted as to where to put the files for each user. (I didn't invest the time to fully figure that out and script it, sorry!) Just hit enter and keep the default each time.
Password-Less SSH for Future Users
Ideally, this script could be set to run every time a new user account is created. I haven't yet figured out how to do that (if you have an idea, please e-mail me at kwanous <at> debianclusters <dot> org). Still, the above can be changed to an interactive script that takes a username to create an SSH key for, and you can run it whenever you create a new user.
Again, you'll need to change it to be executable and also correct the value of homeDirs
.
#!/bin/bash # Creates an SSH key and an authorized_keys file for # a username given as an argument. # Directory containing user home directorys homeDirs=/home/shared if ! [[ "$1" ]] then echo "Usage: ./sshauthhostkeygen username" exit 1 fi x=`echo $1` echo Creating SSH key for $x... if ! id $x > /dev/null 2>&1 then echo $x is not a valid user. exit 1 fi if ! [[ -e $homeDirs/$x ]]; then echo $x does not have a home directory. exit 1 fi if [[ -e $homeDirs/$x/.ssh/id_rsa.pub ]]; then echo "$x already has a public key" else su $x -c "ssh-keygen -N \"\"" fi cat $homeDirs/$x/.ssh/id_rsa.pub >> $homeDirs/$x/.ssh/authorized_keys chown $x:$x $homeDirs/$x/.ssh/authorized_keys chmod 600 $homeDirs/$x/.ssh/authorized_keys
Preventing Logins
While this is necessary for processes running on behalf of the user, users probably shouldn't be able to do code development and other tasks on the worker nodes themselves. To prevent shell logins (other than root), just run
touch /etc/nologin
You'll still be able to SSH in as root and then su
to that user.
ssh-keygen: password-less SSH login
via .rhosts
Uma maneira é criar o arquivo .rhosts com o nome do sistema remoto e usuário que você confia:
[user] vi .rhosts outra.maquina.net usuario .. [user] chmod 600 .rhosts
Assim o usuario pode ser conectar de outra.maquina.net sem usar a senha.
Mas, o SSH deve ser configurado para confiar em .rhosts (que não é o padrão), e o par de chaves privada/pública de cada sistema deve ser propriamente setado no arquivo de chaves públicas ssh_known_hosts.
Método 2
Não requer .rhosts e nem administrador. Requer apenas que você gere um par de chaves pública/privada.
ssh-keygen is used to generate that key pair for you. Here is a session where your own personal private/public key pair is created:
cantin@sodium:~> ssh-keygen -t rsa Generating public/private rsa key pair. Enter file in which to save the key (/home/cantin/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/cantin/.ssh/id_rsa. Your public key has been saved in /home/cantin/.ssh/id_rsa.pub. The key fingerprint is: f6:61:a8:27:35:cf:4c:6d:13:22:70:cf:4c:c8:a0:23 cantin@sodium
The command ssh-keygen -t rsa initiated the creation of the key pair.
No passphrase was entered (Enter key was pressed instead).
The private key was saved in .ssh/id_rsa. This file is read-only and only for you. No one else must see the content of that file, as it is used to decrypt all correspondence encrypted with the public key.
The public key is save in .ssh/id_rsa.pub.
In this case, the content of file id_rsa.pub is
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEArkwv9X8eTVK4F7pMlSt45pWoiakFkZMw G9BjydOJPGH0RFNAy1QqIWBGWv7vS5K2tr+EEO+F8WL2Y/jK4ZkUoQgoi+n7DWQVOHsR ijcS3LvtO+50Np4yjXYWJKh29JL6GHcp8o7+YKEyVUMB2CSDOP99eF9g5Q0d+1U2WVdB WQM= cantin@sodium
It is one line in length.
Its content is then copied in file .ssh/authorized_keys of the system you wish to SSH to without being prompted for a password.
The example shown here generated keys on sodium by user cantin. If the public key generated, file .ssh/id_rsa.pub, was copied to your account, file .ssh/authorized_keys on nickel.sao.nrc.ca, then user cantin@sodium is allowed to SSH into your own account on nickel.sao.nrc.ca without the use of a password.
To summarize, a personal private/public key pair is generated using the ssh-keygen command. The public key is then copied onto a remote systems' .ssh/authorized_keys file. And you can now SSH to the remote systems's account without the use of a password.
Veja também
- http://debianclusters.org/index.php/Password-less_SSH_for_Users, funcionou seguindo estas informações