Using SSH and SCP without entering password
When administrating a lot of Unix servers, there are some situation when you need to run a script from one server to another without entering a password. For example, let’s say that you need to take a cold backup of a Oracle database, but before starting it, you need to stop the application running on another server. In your Oracle backup script, you could “ssh” to application server and run a script that would stop the application before starting the backup. But to do that with a script, you need a way to log on the application server without having to enter a password.
In this article, we will demonstrate how to configure SSH in such a way that it will allow you to log from one server to another, without having to enter a password. Some environment are using the OpenSSH version on their Linux servers and the commercial Tectia SSH on the AIX servers. OpenSSH and Tectia SSH don’t have the same keys format and depending on the version you are running, making an automated connection between these two version can become tricky. In our examples, we will demonstrate the setup require, so that user “robert” is able to log from server1 to server2 without having to enter a password in a mixed environment of OpenSSH and Tectia SSH.
OpenSSH server configuration (/etc/ssh/sshd_config)
If you are using OpenSSH and you have secure your ssh environnent, chance are that you disable direct “root” access to your server with the line “PermitRootLogin no” in your ssh daemon configuration file. If you change that line with “PermitRootLogin without-password”, then direct login to “root” would still be refuse. But, if you have configure your server to accept public key identification (PubkeyAuthentication yes) and that the proper setup is done, you should be able to log on the server with no password. Below is the Openssh configuration file that I use for all the examples below.
Port 22 Protocol 2 SyslogFacility AUTH SyslogFacility AUTHPRIV LoginGraceTime 120 PermitRootLogin without-password PubkeyAuthentication yes HostbasedAuthentication no PasswordAuthentication yes RhostsRSAAuthentication no IgnoreRhosts yes StrictModes yes UsePrivilegeSeparation yes AllowTcpForwarding no X11Forwarding yes Subsystem sftp /usr/libexec/openssh/sftp-server
The OpenSSH version used for all the examples below is ;
# ssh -V OpenSSH_4.3p2, OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
Tectia SSH server configuration (/etc/ssh2/ssh-server-config.xml)
The only action needed to permit public key authentication for users is to list ‘publickey’ as an allowed authentication method in the ssh-server-config.xml file:
<authentication-methods>
<authentication action="allow">
<auth-publickey />
...
</authentication>
</authentication-methods>
Other authentication methods can also be allowed. Place the least interactive method first.
For all the Tectia SSH examples below we used the following version ;
# sshg3 -V sshg3.bin: SSH Tectia Client 6.1.3 on powerpc-ibm-aix5.1.0.0 Build: 59 Product: SSH Tectia Client
Automating SSH connection from OpenSSH to OpenSSH
Recent Comments