Archive

Archive for November, 2009

Using SSH and SCP without entering password

November 7th, 2009 3 comments

When administrating a lot of Unix servers, there are some situation when you need to run a script from one server to another without entering a password. For example, let’s say that you need to take a cold backup of a Oracle database, but before starting it, you need to stop the application running on another server. In your Oracle backup script, you could “ssh” to application server and run a script that would stop the application before starting the backup.  But to do that with a script, you need a way to log on the application server without having to enter a password.

In this article, we will demonstrate how to configure SSH in such a way that it will allow you to log from one server to another, without having to enter a password.  Some environment are using the OpenSSH version on their Linux servers and the commercial Tectia SSH on the AIX servers. OpenSSH and Tectia SSH don’t have the same keys format and depending on the version you are running,  making an automated connection between these two version can become tricky. In our examples, we will demonstrate the setup require, so that user “robert” is able to log from server1 to server2 without having to enter a password in a mixed environment of OpenSSH and Tectia SSH.

OpenSSH server configuration (/etc/ssh/sshd_config)

If you are using OpenSSH and you have secure your ssh environnent, chance are that you disable direct “root” access to your server with the line “PermitRootLogin no” in your ssh daemon configuration file. If you change that line with “PermitRootLogin without-password”, then direct login to “root” would still be refuse.  But, if you have configure your server to accept public key identification (PubkeyAuthentication yes) and that the proper setup is done, you should be able to log on the server with no password.  Below is the Openssh configuration file that I use for all the examples below.

Port                     22
Protocol                 2
SyslogFacility           AUTH
SyslogFacility           AUTHPRIV
LoginGraceTime           120
PermitRootLogin          without-password
PubkeyAuthentication    yes
HostbasedAuthentication  no
PasswordAuthentication  yes
RhostsRSAAuthentication  no
IgnoreRhosts             yes
StrictModes              yes
UsePrivilegeSeparation  yes
AllowTcpForwarding       no
X11Forwarding            yes
Subsystem sftp           /usr/libexec/openssh/sftp-server

The OpenSSH version used for all the examples below is ;

# ssh -V
OpenSSH_4.3p2, OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008

Tectia SSH server configuration (/etc/ssh2/ssh-server-config.xml)

The only action needed to permit public key authentication for users is to list ‘publickey’ as an allowed authentication method in the ssh-server-config.xml file:

<authentication-methods>
  <authentication action="allow">
    <auth-publickey />
    ...
  </authentication>
</authentication-methods>

Other authentication methods can also be allowed. Place the least interactive method first.

For all the Tectia SSH examples below we used the following version ;

# sshg3 -V
sshg3.bin: SSH Tectia Client 6.1.3 on powerpc-ibm-aix5.1.0.0
Build: 59
Product: SSH Tectia Client

Automating SSH connection from OpenSSH to OpenSSH

openssh_2_openssh

Read more…

Categories: Network