Everytime we want/need to get into one linux server we need to authenticate, it could be using a simple password, configuring a public key or using sshpass, below will be describing the process for each one.
First all, we need to know all servers using here are Virtual Machines (VM) listed below, access will be thru ssh (Secure SHell), and all of them are using ssh default port (22).
# virsh list
Id Name State
----------------------------------------------------
2 vmjump01 running
3 vmdbmongodb01 running
4 vmdbmongodb02 running
5 vmdbmysql01 running
6 vmdbmysql02 running
7 vmdbpostgresql01 running
8 vmdbpostgresql02 running
9 vmdhcp01 running
10 vmdns01 running
11 vmdns02 running
12 vmemail01 running
13 vmemail02 running
Using a Password
To start with this post we are loging in to one VM using putty from Windows, then will be using this VM (vmjump01) as jump server to reach the rest of the VMs.
In the first red circle we specified our user and the VM's name (user@host), in the second one we used ssh default port and we left ssh radio button checked (because we are using this protocol), Finally click on Open.
After clicking Open we will be prompted for a password, we type it and hit enter
To jump from one linux server to another one we only need to ssh the server as follows:
* Note: In this case we are using default port, if another one is configured we need to add a parameter
-p port_number (e.g. ssh vmdbmysql01 -p 6372)
[sorea@vmjump01 ~]$ ssh vmdbmysql01
The authenticity of host 'vmdbmysql01 (192.168.0.35)' can't be established.
ECDSA key fingerprint is 29:b1:de:00:78:e1:80:08:c7:cb:90:fc:d1:1b:66:2d.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'vmdbmysql01,192.168.0.35' (ECDSA) to the list of known hosts.
sorea@vmdbmysql01's password:
[sorea@vmdbmysql01 ~]$
As this is the first time we are trying to login from vmjump01 we will be promted if we want to continue, we typed yes so a new record with vmdbmysql01 inforation is added to known_hosts file as shown below:
[sorea@vmjump01 ~]$ cat .ssh/known_hosts | wc -l
1
If we try once again will be prompted for a password inmediatelly due to the server information was already added so it is a known host now.
[sorea@vmjump01 ~]$ ssh vmdbmysql01
sorea@vmdbmysql01's password:
[sorea@vmdbmysql01 ~]$ uptime
13:55:03 up 1:40, 1 user, load average: 0.00, 0.01, 0.05
Using Public key
For this step will be describing the process to create a rsa key with 2048 bits (2048 default value for rsa).
Configure key:
After running
ssh-keygen command with its parameters, the system will ask us path and passphrase, in this case we only hit enter so the system will take the default information, also we left passphrase empty since we will be running commands remotely and do not want to be prompted for the passphrase each time we need to get into a server.
[sorea@vmjump01 ~]
$ ssh-keygen -t rsa -b 2048
Generating public/private rsa key pair.
Enter file in which to save the key (/home/sorea/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/sorea/.ssh/id_rsa.
Your public key has been saved in /home/sorea/.ssh/id_rsa.pub.
The key fingerprint is:
57:68:b4:8e:0f:57:68:81:a9:8e:0d:46:a1:b4:81:a9 sorea@vmjump01
The key's randomart image is:
+--[ RSA 2048]----+
| .. oo |
| . .. o. + ... |
|. E. + . |
|o+ +o . . . |
|* .o= S . |
|.. ...o . |
| . o .....S |
| . |
| |
+-----------------+
If we set a passphrase and we want to remove/change it only need to execute below command and follow instructions on the screen
ssh-keygen -p
Move public key to target server:
If we try to get into one server will be prompted for a password, so we need to copy our public key to target server:
[sorea@vmjump01 ~]$ssh vmdbmongodb01
sorea@vmdbmongodb01's password:
There is not any problem if we just need to provide the password for one server, what about if we had 20, 200 or even 2000 (so weird ¬¬) ??
[sorea@vmjump01 ~]$ for s in {01..20}; do echo vmdbmongodb$s $(ssh vmdbmongodb0$s "uptime"); done
sorea@vmdbmongodb01's password:
vmdbmongodb01 12:34:48 up 20 min, 0 users, load average: 0.00, 0.04, 0.12
sorea@vmdbmongodb02's password:
To copy the public key we just need to run ssh-copy-id command followed by the target server and type the password as shown below:
[sorea@vmjump01 ~]$ ssh-copy-id vmdbmongodb01
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
sorea@vmdbmongodb01's password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh 'vmdbmongodb01'"
and check to make sure that only the key(s) you wanted were added.
Then let's try to ssh the target server and will see a password was not requiered anymore for this server
[sorea@vmjump01 ~]$ ssh vmdbmongodb01
[sorea@vmdbmongodb01 ~]$
So now, we do not have any problem runing commands remotely due to system is self-authenticated:
[sorea@vmjump01 ~]$ for s in {01..20}; do echo vmdbmongodb0$s $(ssh vmdbmongodb$s "uptime"); done
vmdbmongodb01 12:35:40 up 20 min, 0 users, load average: 0.00, 0.03, 0.12
vmdbmongodb02 12:35:41 up 20 min, 0 users, load average: 0.00, 0.03, 0.12
...
...
Using sshpass
To use this option we need to add one line to .bashrc, located at our home directory export SSHPASS=mypasswordhere, the file should look like:
[sorea@vmjump01 ~]$ vi .bashrc
# .bashrc
# Source global definitions
if [ -f /etc/bashrc ]; then
. /etc/bashrc
fi
# Uncomment the following line if you don't like systemctl's auto-paging feature:
# export SYSTEMD_PAGER=
# User specific aliases and functions
export SSHPASS=mypasswordhere
Then, we need to refresh our variables within .bashrc by running (source .bashrc)
[sorea@vmjump01 ~]$ source .bashrc
Let's do some tests
[sorea@vmjump01 ~]$ sshpass -e ssh vmdbpostgresql01
[sorea@vmjump01 ~]$
As explained before last command does not do anything since vmdbpostgresql01 is not a known host to avoid this we need to add an option to ssh command (-o StrictHostKeyChecking=no)
[sorea@vmjump01 ~]$ sshpass -e ssh -o StrictHostKeyChecking=no vmdbpostgresql01
Warning: Permanently added 'vmdbpostgresql01,192.168.0.37' (ECDSA) to the list of known hosts.
[sorea@vmdbpostgresql01~]$
Now to get into any reachable server (a local user is needed within target host) we just need to specify a target server and thats it, we have access without being prompted for a password.
To use a different variable than SSHPASS we only need to change export SSHPASS=mypasswordhere to export myPass=mypasswordhere in .bashrc file and refresh variables in our shell enviroment by source .bashrc
[sorea@vmjump01 ~]$ sshpass -p $myPass ssh -o StrictHostKeyChecking=no vmdbpostgresql01
[sorea@vmdbpostgresql01 ~]$
Notice that SSHPASS variable is sshpass defaults (case sensitive), if we want to use the default one we execute
sshpass -e .......
otherwise
sshpass -p $myPass
sshpass can be used with other commands too: e.g:
sshpass -e command file server:/path/file
sshpass -e scp file.bkp vmdbpostgresql01:/tmp/file.bkp
or
sshpass -p $myPass scp file.bkp vmdbpostgresql01:/tmp/file.bkp
Example running commands remotely using sshpass
[sorea@vmjump01 ~]$ for s in $(cat inventory); do; echo $s $(sshpass -e ssh -o StrictHostKeyChecking=no $s "uptime"); done
vmdhcp01 15:05:29 up 2:38, 0 users, load average: 0.00, 0.01, 0.05
vmdns01 15:05:29 up 2:38, 0 users, load average: 0.00, 0.01, 0.05
vmdns02 15:05:30 up 2:38, 0 users, load average: 0.07, 0.03, 0.05
vmemail01 15:05:30 up 2:38, 0 users, load average: 0.07, 0.03, 0.05
vmemail02 15:05:29 up 2:38, 0 users, load average: 0.00, 0.01, 0.05
Note: All the steps described above were using CentOS 7
[sorea@vmjump01 ~]$ cat /etc/redhat-release
CentOS Linux release 7.2.1511 (Core)
