Say serverA is where your automated build tool is installed. serverB is where you want to deploy a war file to an application server using an automated script you want to invoke with ssh.
Both serverA and serverB were running CentOS for these set of instructions.
Solution
Step 1: On serverA machine, generate the authentication keys for ssh authentication.
- For default rsa key filename, enter the following
- [cherryshoe@serverA ~]$ ssh-keygen -t rsa
- For specific rsa key filename for serverB, enter the following
- [cherryshoe@serverA .ssh]$ ssh-keygen -t rsa -f ./id_rsa.serverB -C "Key for dev integration test server"
- id_rsa and id_rsa.pub OR
- id_rsa.serverB and id_rsa.serverB.pub
The result will be similar to:
Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in ./id_rsa.serverB.
Your public key has been saved in ./id_rsa.serverB.pub.
The key fingerprint is:
e9:d6:a6:ad:6d:89:15:31:59:be:ae:32:99:eb:10:e6 Key for dev integration test server
Step 2: NOTE: This step is not required. Use ssh-agent to securely store the private key on serverA. This will enable you to avoid continuing to type the pass-phrase when sshing from serverA to serverB.
[cherryshoe@serverA .ssh]$ ssh-agent $BASH
[cherryshoe@serverA .ssh]$ ssh-add
Identity added: /home/cherryshoe/.ssh/id_rsa
[cherryshoe@serverA .ssh]$ ssh-add id_rsa.serverB
Identity added: /home/cherryshoe/.ssh/id_rsa.serverB
NOTE: To list all private keys on serverA, issue ssh-add -l
Step 3: Copy public key to serverB
Step 3a: If sshpass is installed, otherwise use Step 3b.
Step 3: Copy public key to serverB
Step 3a: If sshpass is installed, otherwise use Step 3b.
- Navigate to /<home>/.ssh - note that the id_rsa.pub already exists (default name from above step)
- Run a single command with sshpass, if installed
- sshpass -p <password of user on serverB> ssh-copy-id <server B IP address>
- Test
- ssh <server B IP address>
Step 3b: Copy the public key over to serverB <home>/.ssh/authorized_keys file.
Option a: manual
Option a: manual
- If the file doesn't exist yet, then copy over public key.pub file over as the authorized_keys file.
- i.e:
- scp id_rsa.pub to the serverB AS <home>/.ssh/authorized_keys
- If it does, then open up the contents of the public key .pub file on serverA, and append it to the existing authorized_keys file on serverB.
Option b: automated
Use ssh-copy-id to automate this step
[cherryshoe@serverA .ssh]$ ssh-copy-id -i ~/.ssh/id_rsa.pub cherryshoe@serverB
cherryshoe@serverB's password:
Step 4: Ensure serverB user's .ssh directory has permission 700 and the authorized
_keys file has permission 640
_keys file has permission 640
drwx------. 2 cherrryshoe wheel 4096 Jul 8 08:00 .
drwx------. 5 cherryshoe cherryshoe 4096 Jul 7 15:43 ..
-rw-r-----. 1 cherryshoe wheel 398 Jul 8 08:00 authorized_keys
NOTE: The above instructions are for when the user on serverA and serverB are the same username. Take for example serverA cherryshoe wants to ssh to serverB as shoetech:
On serverA machine:
Generate the keys for user cherryshoe
On serverB machine:
From serverA, now you will need to specify the path to private key for user shoetech, to ssh into serverB as shoetech
drwx------. 5 cherryshoe cherryshoe 4096 Jul 7 15:43 ..
-rw-r-----. 1 cherryshoe wheel 398 Jul 8 08:00 authorized_keys
You should now be able to ssh from serverA to serverB passwordlessly!
On serverA machine:
- Generate the keys for user shoetech
- ssh-keygen -t rsa -f id_serverB_shoetech -C "shoetech@serverB"
- ssh-copy-id id_serverB_shoetech.pub shoetech@serverB
- check the known_hosts file now has the serverB IP
Generate the keys for user cherryshoe
- ssh-keygen -t rsa -f id_serverB_cherryshoe -C "cherryshoe@serverB"
On serverB machine:
- Append the contents of id_serverB_cherryshoe.pub to shoetech's authorized_keys file. The authorized_keys of shoetech user should have two .pub keys (one for cherryshoe user, second for shoetech user). Make sure each .pub key has username@hostname at the end (this will already be at the end if you use the -C parameter when generating the key pair with ssh-keygen command).
From serverA, now you will need to specify the path to private key for user shoetech, to ssh into serverB as shoetech
- ssh -i ~/.ssh/id_serverB_shoetech shoetech@serverB
These articles were a great help.
http://www.cyberciti.biz/tips/ssh-public-key-based-authentication-how-to.htmlhttp://www.karan.org/blog/index.php/2009/08/25/multiple-ssh-private-keys
http://stackoverflow.com/questions/2419566/best-way-to-use-multiple-ssh-private-keys-on-one-client
Great to have this as a reference! (may need to do this in the near future)
ReplyDelete