Start with creating a user:
useradd -m -d /home/username -s /bin/bash username
Create a key pair from the client which you will use to ssh
from:
ssh-keygen -t dsa
Copy the public key /home/username/.ssh/id_dsa.pub
onto the RedHat host into /home/username/.ssh/authorized_keys
Set correct permissions on the files on the RedHat host:
chown -R username:username /home/username/.ssh
chmod 700 /home/username/.ssh
chmod 600 /home/username/.ssh/authorized_keys
Ensure that Public Key authentication is enabled on the RedHat host:
grep PubkeyAuthentication /etc/ssh/sshd_config
#should output:
PubkeyAuthentication yes
If not, change that directive to yes and restart the sshd
service on the RedHat host.
From the client start an ssh
connection:
ssh username@redhathost
It should automatically look for the key id_dsa
in ~/.ssh/
. You can also specify an identity file using:
ssh -i ~/.ssh/id_dsa username@redhathost
Public key authentication is turned on by default and has higher priority then password authentication (handled by PAM or directly).
You can set up in sshd_config
option UsePAM yes
(by default on Red Hat), which will defer authentication to PAM -- this is configured in /etc/pam.d/sshd
(can differ a bit on some systems).
For OTP you can use google_authenticator
, or some other open implementation of one-time passwords. There are many how-to's around here. You can try to search for two-factor authentication, but basically it is adding one line like this
auth required pam_google_authenticator.so
in the /etc/pam.d/sshd
and do some configuration: Arch has nice instruction for this: https://wiki.archlinux.org/index.php/Google_Authenticator
Using only one-time passwords, without the second factor can be potential risk if the one-time password or token gets lost -- I recommend you not to go this way and implement rather the two factor authentication than only one-time password.
Best Answer
Rather than type your password multiple times you can make use of
pssh
and its-A
switch to prompt for it once, and then feed the password to all the servers in a list.NOTE: Using this method doesn't allow you to use
ssh-copy-id
, however, so you'll need to roll your own method for appending your SSH pub key file to your remote account's~/.ssh/authorized_keys
file.Example
Here's an example that does the job:
The above script is generally structured like so:
High level
pssh
detailscat <pubkey>
outputs the public key file topssh
pssh
uses the-I
switch to ingest data via STDIN-l <remote user>
is the remote server's account (we're assuming you have the same username across the servers in the IP file)-A
tellspssh
to ask for your password and then reuse it for all the servers that it connects to-i
tellspssh
to send any output to STDOUT rather than store it in files (its default behavior)'...cmds to add pubkey...'
- this is the trickiest part of what's going on, so I'll break this down by itself (see below)Commands being run on remote servers
These are the commands that
In order:pssh
will run on each server:set the remote user's umask to 077, this is so that any directories or files we're going to create, will have their permissions set accordingly like so:
create the directory
~/.ssh
and ignore warning us if it's already there$afile
, with the path to authorized_keys filecat - >> $afile
- take input from STDIN and append to authorized_keys filesort -u $afile -o $afile
- uniquely sorts authorized_keys file and saves itNOTE: That last bit is to handle the case where you run the above multiple times against the same servers. This will eliminate your pubkey from getting appended multiple times.
Notice the single ticks!
Also pay special attention to the fact that all these commands are nested inside of single quotes. That's important, since we don't want
$afile
to get evaluated until after it's executing on the remote server.I've expanded the above so it's easier to read here, but I generally run it all on a single line like so:
Bonus material
By using
pssh
you can forgo having to construct files and either provide dynamic content using-h <(...some command...)
or you can create a list of IPs using another ofpssh
's switches,-H "ip1 ip2 ip3"
.For example:
The above could be used to extract a list of IPs from my
~/.ssh/config
file. You can of course also useprintf
to generate dynamic content too:For example:
You can also use
seq
to generate formatted numbers sequences too!References & similar tools to
pssh
If you don't want to use
pssh
as I've done so above there are some other options available.