We have set up a CentOS 6.4 box with passwordless SSH to multiple other systems. This works fine when using a terminal as the correct user directly on the CentOS computer. However, if I log into the CentOS box as one of those same users from another system, I get prompted for the RSA key passphrase. Why is this necessary when I am logged on as the correct user?
So, if we have three machines (A, B and C). A has been set up so it can passwordlessly connect to machine B over SSH. That works fine. However, if we SSH into A from machine C, and then from that remote SSH terminal attempt to SSH into B, this requires a password.
Machine A has scripts on it that access several other machines (passwordlessly). We need to be able to remotely log into machine A from Machine C, and then kick off the scripts which access machine B.
Best Answer
Your question is somewhat unclear. It appears that you are using a SSH key, but the SSH key is protected by a passphrase. But then it should actually ask you for that passphrase also when you are logged in directly.
What I would do:
Here is a complete example how to set this up:
Create a new user which can not be logged into (on my system this will also create a new group with the same name which I will use in the following):
Become this user and create a ssh key. Don't set a passphrase on the key, just press enter on the passphrase prompt.
Add the public key (in ~/.ssh/id_rsa.pub) to the authorized_keys on the target machine (machine B in your example), then shortly try the login by SSH key (which will also add the remote public key to the known_hosts, so that it will not prompt again later).
Back on machine A: Add the normal useraccount(s) to the group:
Create some script which will use the SSH key and do something on B:
Finally allow the users in group runscripts to execute this script as user runscript without a password. This is the line from /etc/sudoers:
Now as one of the users in group runscripts try to run the script:
As you can see from this output, the script was excuted as user runscripts. It then logged into Machine B as user 'remoteuser' and executed the 'whoami' command (which then of course returned 'remoteuser').
Doing it like this has the benefit that nobody shall be able to steal the (unprotected) SSH key because it is only accessible as user runscripts but people can only run the predetermined scripts with this users privileges.