Difference between revisions of "Passwordless SSH"

Now on Wiki.NerdMage.Ca

These instructions assume 2 ESXi servers: ESXi0 & ESXi1

Both of these servers have a datastore named Admin for Administrative stuff and a Folder named Utilities for storing useful things.

You will need SSH client enabled in the built-in firewall on your ESXi hosts.

• Allowing SSH & SCP between ESXi Hosts
  • SSH Client must be enabled in the ESXi firewall (for the outbound connection)
  • How to Open and Close Firewall Ports on vmWare ESXi Hosts

ESXi to ESXi

Source: How to SSH between ESXi 6.0U2 hosts without providing a password

The following 2 sections are basically lists of Copy-Pasta commands for each server.

ESXi0

• If it doesn't exist yet, create the Utilities folder:
  • mkdir /vmfs/volumes/Admin/Utilities
• mkdir /vmfs/volumes/Admin/Utilities/ssl
• mkdir /vmfs/volumes/Admin/Utilities/ssl/ESXi1
• mkdir /vmfs/volumes/Admin/Utilities/ssl/ESXi1/keys
• mkdir /.ssh
• cd /.ssh
• /usr/lib/vmware/openssh/bin/ssh-keygen -t rsa -b 4096
  • Just accept the defaults
• cat id_rsa.pub | ssh root@ESXi1 'cat >> /etc/ssh/keys-root/authorized_keys'
• cp /.ssh/* /vmfs/volumes/Admin/Utilities/ssl/ESXi1/keys
• vi /etc/rc.local.d/local.sh

mkdir /.ssh
cp /vmfs/volumes/Admin/Utilities/ssl/ESXi1/keys/* /.ssh

ESXi1

• If it doesn't exist yet, create the Utilities folder:
  • mkdir /vmfs/volumes/Admin/Utilities

• mkdir /vmfs/volumes/Admin/Utilities/ssl

• mkdir /vmfs/volumes/Admin/Utilities/ssl/ESXi0
• mkdir /vmfs/volumes/Admin/Utilities/ssl/ESXi0/keys
• mkdir /.ssh
• cd /.ssh
• /usr/lib/vmware/openssh/bin/ssh-keygen -t rsa -b 4096
  • Just accept the defaults
• cat id_rsa.pub | ssh root@ESXi0 'cat >> /etc/ssh/keys-root/authorized_keys'
• cp /.ssh/* /vmfs/volumes/Admin/Utilities/ssl/ESXi0/keys
• vi /etc/rc.local.d/local.sh

mkdir /.ssh
cp /vmfs/volumes/Admin/Utilities/ssl/ESXi0/keys/* /.ssh

On Both Servers

• chmod +t /etc/ssh/keys-root/authorized_keys
• vi /etc/ssh/sshd_config
• (Ensure the following items are in the file)

PermitRootLogin yes
UsePAM yes
# only use PAM challenge-response (keyboard-interactive)
PasswordAuthentication no 

• /etc/init.d/SSH restart
• /sbin/auto-backup.sh

At this point, you should be able to SSH from one to the other without needing to enter a password.

Troubleshooting SSH on ESXi

If you get "ssh: connect to host WHATEVER port 22: Connection timed out" when trying to SSH from an ESXi host, double check the configuration of SSH Client in the servers Firewall Rules.

ESXi to Linux

Assuming you've already created your keyes in ESXi to ESXi

• cat /.ssh/id_rsa.pub | ssh USER@LINUXBOX 'cat >> ~/.ssh/authorized_keys'

It is possible that ~/.ssh does not yet exist on the target machine. If so, you'll need to create it:

• ssh USER@LINUXBOX 'mkdir ~/.ssh'

Linux to ESXi

Assuming you've already created the directory structure in ESXi to ESXi

• ssh-keygen -t rsa
• cat ~/.ssh/id_rsa.pub | ssh root@ESXi0 'cat >> /etc/ssh/keys-root/authorized_keys'
• ssh root@esxi0 "/sbin/auto-backup.sh"

Linux to Linux

• ssh-keygen -t rsa
• cat ~/.ssh/id_rsa.pub | ssh USER@OTHERLINUXBOX 'cat >> ~/.ssh/authorized_keys'

It is possible that ~/.ssh does not yet exist on the target machine. If so, you'll need to create it:

• ssh USER@OTHERLINUXBOX 'mkdir ~/.ssh'

Bonus Thoughts...

I can't see any reason these instructions couldn't be used to provide passwordless SSH to a remote ESXi server with a weird port number for SSH... (HINT: Works just fine...)

& since SCP runs over SSH...

Could be used for automatically copying backups to/from an offsite server...

hhhmmm...