Difference between revisions of "Passwordless SSH"
(→ESXi1) |
|||
(33 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
− | == | + | <span style="background-color: rgb(153, 204, 0); color: rgb(0, 0, 255);" data-mce-style="background-color: #99cc00; color: #0000ff;">'''<big>Now on Wiki.NerdMage.Ca</big>'''</span> |
+ | These instructions assume 2 ESXi servers: ESXi0 & ESXi1 | ||
+ | |||
+ | Both of these servers have a datastore named '''Admin''' for Administrative stuff and a Folder named '''Utilities''' for storing useful things. | ||
+ | |||
+ | You will need '''SSH client''' enabled in the built-in firewall on your ESXi hosts. | ||
+ | |||
+ | *Allowing SSH & SCP between ESXi Hosts | ||
+ | **SSH Client must be enabled in the ESXi firewall (for the outbound connection) | ||
+ | **[https://4sysops.com/archives/how-to-open-and-close-firewall-ports-on-vmware-esxi-hosts/ How to Open and Close Firewall Ports on vmWare ESXi Hosts] | ||
+ | |||
+ | ===ESXi to ESXi=== | ||
+ | Source: [https://cormachogan.com/2016/04/13/ssh-esxi-hosts-without-providing-password/ How to SSH between ESXi 6.0U2 hosts without providing a password] | ||
+ | |||
+ | The following 2 sections are basically lists of Copy-Pasta commands for each server. | ||
+ | |||
+ | ====ESXi0==== | ||
+ | |||
+ | *If it doesn't exist yet, create the Utilities folder: | ||
+ | **<code>mkdir /vmfs/volumes/Admin/Utilities</code> | ||
*<code>mkdir /vmfs/volumes/Admin/Utilities/ssl</code> | *<code>mkdir /vmfs/volumes/Admin/Utilities/ssl</code> | ||
*<code>mkdir /vmfs/volumes/Admin/Utilities/ssl/ESXi1</code> | *<code>mkdir /vmfs/volumes/Admin/Utilities/ssl/ESXi1</code> | ||
Line 7: | Line 26: | ||
*<code>cd /.ssh</code> | *<code>cd /.ssh</code> | ||
*<code>/usr/lib/vmware/openssh/bin/ssh-keygen -t rsa -b 4096</code> | *<code>/usr/lib/vmware/openssh/bin/ssh-keygen -t rsa -b 4096</code> | ||
− | * | + | **'''Just accept the defaults''' |
*<code>cat id_rsa.pub | ssh root@ESXi1 'cat >> /etc/ssh/keys-root/authorized_keys'</code> | *<code>cat id_rsa.pub | ssh root@ESXi1 'cat >> /etc/ssh/keys-root/authorized_keys'</code> | ||
− | |||
− | |||
*<code>cp /.ssh/* /vmfs/volumes/Admin/Utilities/ssl/ESXi1/keys</code> | *<code>cp /.ssh/* /vmfs/volumes/Admin/Utilities/ssl/ESXi1/keys</code> | ||
+ | *<code>vi /etc/rc.local.d/local.sh</code> | ||
+ | |||
+ | mkdir /.ssh | ||
+ | cp /vmfs/volumes/Admin/Utilities/ssl/ESXi1/keys/* /.ssh | ||
− | + | ====ESXi1==== | |
− | + | *If it doesn't exist yet, create the Utilities folder: | |
+ | **<code>mkdir /vmfs/volumes/Admin/Utilities</code> | ||
*<code>mkdir /vmfs/volumes/Admin/Utilities/ssl</code> | *<code>mkdir /vmfs/volumes/Admin/Utilities/ssl</code> | ||
+ | |||
*<code>mkdir /vmfs/volumes/Admin/Utilities/ssl/ESXi0</code> | *<code>mkdir /vmfs/volumes/Admin/Utilities/ssl/ESXi0</code> | ||
*<code>mkdir /vmfs/volumes/Admin/Utilities/ssl/ESXi0/keys</code> | *<code>mkdir /vmfs/volumes/Admin/Utilities/ssl/ESXi0/keys</code> | ||
Line 23: | Line 46: | ||
*<code>cd /.ssh</code> | *<code>cd /.ssh</code> | ||
*<code>/usr/lib/vmware/openssh/bin/ssh-keygen -t rsa -b 4096</code> | *<code>/usr/lib/vmware/openssh/bin/ssh-keygen -t rsa -b 4096</code> | ||
− | * | + | **'''Just accept the defaults''' |
*<code>cat id_rsa.pub | ssh root@ESXi0 'cat >> /etc/ssh/keys-root/authorized_keys'</code> | *<code>cat id_rsa.pub | ssh root@ESXi0 'cat >> /etc/ssh/keys-root/authorized_keys'</code> | ||
− | |||
− | |||
*<code>cp /.ssh/* /vmfs/volumes/Admin/Utilities/ssl/ESXi0/keys</code> | *<code>cp /.ssh/* /vmfs/volumes/Admin/Utilities/ssl/ESXi0/keys</code> | ||
+ | *<code>vi /etc/rc.local.d/local.sh</code> | ||
+ | |||
+ | mkdir /.ssh | ||
+ | cp /vmfs/volumes/Admin/Utilities/ssl/ESXi0/keys/* /.ssh | ||
+ | |||
+ | ====On Both Servers==== | ||
+ | |||
+ | *<code>chmod +t /etc/ssh/keys-root/authorized_keys</code> | ||
*<code>vi /etc/ssh/sshd_config</code> | *<code>vi /etc/ssh/sshd_config</code> | ||
+ | *(Ensure the following items are in the file) | ||
PermitRootLogin yes | PermitRootLogin yes | ||
Line 34: | Line 64: | ||
# only use PAM challenge-response (keyboard-interactive) | # only use PAM challenge-response (keyboard-interactive) | ||
PasswordAuthentication no | PasswordAuthentication no | ||
− | |||
− | |||
− | * <code>/etc/init.d/SSH restart</code> | + | *<code>/etc/init.d/SSH restart</code> |
+ | *<code>/sbin/auto-backup.sh</code> | ||
+ | |||
+ | At this point, you should be able to SSH from one to the other without needing to enter a password. | ||
+ | |||
+ | ====Troubleshooting SSH on ESXi==== | ||
+ | If you get "ssh: connect to host WHATEVER port 22: Connection timed out" when trying to SSH from an ESXi host, double check the configuration of '''SSH Client''' in the servers '''Firewall Rules'''. | ||
+ | |||
+ | === ESXi to Linux === | ||
+ | Assuming you've already created your keyes in [[ESXi - Passwordless SSH#ESXi to ESXi|ESXi to ESXi]] | ||
+ | |||
+ | *<code>cat /.ssh/id_rsa.pub | ssh USER@LINUXBOX 'cat >> ~/.ssh/authorized_keys'</code> | ||
+ | |||
+ | It is possible that <code>~/.ssh</code> does not yet exist on the target machine. If so, you'll need to create it: | ||
+ | |||
+ | *<code>ssh USER@LINUXBOX 'mkdir ~/.ssh'</code> | ||
+ | |||
+ | ===Linux to ESXi=== | ||
+ | Assuming you've already created the directory structure in [[ESXi - Passwordless SSH#ESXi to ESXi|ESXi to ESXi]] | ||
+ | |||
+ | *<code>ssh-keygen -t rsa</code> | ||
+ | *<code>cat ~/.ssh/id_rsa.pub | ssh root@ESXi0 'cat >> /etc/ssh/keys-root/authorized_keys'</code> | ||
+ | *<code>ssh root@esxi0 "/sbin/auto-backup.sh"</code> | ||
+ | |||
+ | ===Linux to Linux=== | ||
+ | |||
+ | *<code>ssh-keygen -t rsa</code> | ||
+ | *<code>cat ~/.ssh/id_rsa.pub | ssh USER@OTHERLINUXBOX 'cat >> ~/.ssh/authorized_keys'</code> | ||
+ | |||
+ | It is possible that <code>~/.ssh</code> does not yet exist on the target machine. If so, you'll need to create it: | ||
+ | |||
+ | *<code>ssh USER@OTHERLINUXBOX 'mkdir ~/.ssh'</code> | ||
+ | |||
+ | ===Bonus Thoughts...=== | ||
+ | I can't see any reason these instructions couldn't be used to provide passwordless SSH to a remote ESXi server with a weird port number for SSH... ''('''HINT:''' Works just fine...)'' | ||
+ | |||
+ | & since SCP runs over SSH... | ||
+ | |||
+ | Could be used for automatically copying backups to/from an offsite server... | ||
+ | |||
+ | hhhmmm... |
Latest revision as of 15:58, 27 December 2021
Now on Wiki.NerdMage.Ca
These instructions assume 2 ESXi servers: ESXi0 & ESXi1
Both of these servers have a datastore named Admin for Administrative stuff and a Folder named Utilities for storing useful things.
You will need SSH client enabled in the built-in firewall on your ESXi hosts.
- Allowing SSH & SCP between ESXi Hosts
- SSH Client must be enabled in the ESXi firewall (for the outbound connection)
- How to Open and Close Firewall Ports on vmWare ESXi Hosts
Contents
ESXi to ESXi
Source: How to SSH between ESXi 6.0U2 hosts without providing a password
The following 2 sections are basically lists of Copy-Pasta commands for each server.
ESXi0
- If it doesn't exist yet, create the Utilities folder:
mkdir /vmfs/volumes/Admin/Utilities
mkdir /vmfs/volumes/Admin/Utilities/ssl
mkdir /vmfs/volumes/Admin/Utilities/ssl/ESXi1
mkdir /vmfs/volumes/Admin/Utilities/ssl/ESXi1/keys
mkdir /.ssh
cd /.ssh
/usr/lib/vmware/openssh/bin/ssh-keygen -t rsa -b 4096
- Just accept the defaults
cat id_rsa.pub | ssh root@ESXi1 'cat >> /etc/ssh/keys-root/authorized_keys'
cp /.ssh/* /vmfs/volumes/Admin/Utilities/ssl/ESXi1/keys
vi /etc/rc.local.d/local.sh
mkdir /.ssh cp /vmfs/volumes/Admin/Utilities/ssl/ESXi1/keys/* /.ssh
ESXi1
- If it doesn't exist yet, create the Utilities folder:
mkdir /vmfs/volumes/Admin/Utilities
mkdir /vmfs/volumes/Admin/Utilities/ssl
mkdir /vmfs/volumes/Admin/Utilities/ssl/ESXi0
mkdir /vmfs/volumes/Admin/Utilities/ssl/ESXi0/keys
mkdir /.ssh
cd /.ssh
/usr/lib/vmware/openssh/bin/ssh-keygen -t rsa -b 4096
- Just accept the defaults
cat id_rsa.pub | ssh root@ESXi0 'cat >> /etc/ssh/keys-root/authorized_keys'
cp /.ssh/* /vmfs/volumes/Admin/Utilities/ssl/ESXi0/keys
vi /etc/rc.local.d/local.sh
mkdir /.ssh cp /vmfs/volumes/Admin/Utilities/ssl/ESXi0/keys/* /.ssh
On Both Servers
chmod +t /etc/ssh/keys-root/authorized_keys
vi /etc/ssh/sshd_config
- (Ensure the following items are in the file)
PermitRootLogin yes UsePAM yes # only use PAM challenge-response (keyboard-interactive) PasswordAuthentication no
/etc/init.d/SSH restart
/sbin/auto-backup.sh
At this point, you should be able to SSH from one to the other without needing to enter a password.
Troubleshooting SSH on ESXi
If you get "ssh: connect to host WHATEVER port 22: Connection timed out" when trying to SSH from an ESXi host, double check the configuration of SSH Client in the servers Firewall Rules.
ESXi to Linux
Assuming you've already created your keyes in ESXi to ESXi
cat /.ssh/id_rsa.pub | ssh USER@LINUXBOX 'cat >> ~/.ssh/authorized_keys'
It is possible that ~/.ssh
does not yet exist on the target machine. If so, you'll need to create it:
ssh USER@LINUXBOX 'mkdir ~/.ssh'
Linux to ESXi
Assuming you've already created the directory structure in ESXi to ESXi
ssh-keygen -t rsa
cat ~/.ssh/id_rsa.pub | ssh root@ESXi0 'cat >> /etc/ssh/keys-root/authorized_keys'
ssh root@esxi0 "/sbin/auto-backup.sh"
Linux to Linux
ssh-keygen -t rsa
cat ~/.ssh/id_rsa.pub | ssh USER@OTHERLINUXBOX 'cat >> ~/.ssh/authorized_keys'
It is possible that ~/.ssh
does not yet exist on the target machine. If so, you'll need to create it:
ssh USER@OTHERLINUXBOX 'mkdir ~/.ssh'
Bonus Thoughts...
I can't see any reason these instructions couldn't be used to provide passwordless SSH to a remote ESXi server with a weird port number for SSH... (HINT: Works just fine...)
& since SCP runs over SSH...
Could be used for automatically copying backups to/from an offsite server...
hhhmmm...