Difference between revisions of "Passwordless SSH"
| Line 71: | Line 71: | ||
| At this point, you should be able to SSH from one to the other without needing to enter a password. | At this point, you should be able to SSH from one to the other without needing to enter a password. | ||
| − | ===ESXi to Linux=== | + | ===<span style="color:#c0392b">ESXi to Linux</span>=== | 
| Assuming you've already created your keyes in [[ESXi - Passwordless SSH#ESXi to ESXi|ESXi to ESXi]] | Assuming you've already created your keyes in [[ESXi - Passwordless SSH#ESXi to ESXi|ESXi to ESXi]] | ||
Revision as of 14:53, 9 July 2020
These instructions assume 2 ESXi servers: ESXi0 & ESXi1
Both of these servers have a datastore named Admin for Administrative stuff and a Folder named Utilities for storing useful things.
You will need SSH client enabled in the built-in firewall on your ESXi hosts.
- Allowing SSH & SCP between ESXi Hosts
- SSH Client must be enabled in the ESXi firewall (for the outbound connection)
- How to Open and Close Firewall Ports on vmWare ESXi Hosts
 
Contents
ESXi to ESXi
Source: How to SSH between ESXi 6.0U2 hosts without providing a password
The following 2 sections are basically lists of Copy-Pasta commands for each server.
ESXi0
- If it doesn't exist yet, create the Utilities folder:
- mkdir /vmfs/volumes/Admin/Utilities
 
- mkdir /vmfs/volumes/Admin/Utilities/ssl
- mkdir /vmfs/volumes/Admin/Utilities/ssl/ESXi1
- mkdir /vmfs/volumes/Admin/Utilities/ssl/ESXi1/keys
- mkdir /.ssh
- cd /.ssh
- /usr/lib/vmware/openssh/bin/ssh-keygen -t rsa -b 4096- Just accept the defaults
 
- cat id_rsa.pub | ssh root@ESXi1 'cat >> /etc/ssh/keys-root/authorized_keys'
- cp /.ssh/* /vmfs/volumes/Admin/Utilities/ssl/ESXi1/keys
- vi /etc/rc.local.d/local.sh
mkdir /.ssh cp /vmfs/volumes/Admin/Utilities/ssl/ESXi1/keys/* /.ssh
- /sbin/auto-backup.sh
ESXi1
- If it doesn't exist yet, create the Utilities folder:
- mkdir /vmfs/volumes/Admin/Utilities
 
- mkdir /vmfs/volumes/Admin/Utilities/ssl
- mkdir /vmfs/volumes/Admin/Utilities/ssl/ESXi0
- mkdir /vmfs/volumes/Admin/Utilities/ssl/ESXi0/keys
- mkdir /.ssh
- cd /.ssh
- /usr/lib/vmware/openssh/bin/ssh-keygen -t rsa -b 4096- Just accept the defaults
 
- cat id_rsa.pub | ssh root@ESXi0 'cat >> /etc/ssh/keys-root/authorized_keys'
- cp /.ssh/* /vmfs/volumes/Admin/Utilities/ssl/ESXi0/keys
- vi /etc/rc.local.d/local.sh
mkdir /.ssh cp /vmfs/volumes/Admin/Utilities/ssl/ESXi0/keys/* /.ssh
- /sbin/auto-backup.sh
On Both Servers
- chmod +t /etc/ssh/keys-root/authorized_keys
- vi /etc/ssh/sshd_config
- (Ensure the following items are in the file)
PermitRootLogin yes UsePAM yes # only use PAM challenge-response (keyboard-interactive) PasswordAuthentication no
- /etc/init.d/SSH restart
At this point, you should be able to SSH from one to the other without needing to enter a password.
ESXi to Linux
Assuming you've already created your keyes in ESXi to ESXi
- cat /.ssh/id_rsa.pub | ssh USER@LINUXBOX 'cat >> ~/.ssh/authorized_keys'
It is possible that ~/.ssh does not yet exist on the target machine.  If so, you'll need to create it:
- ssh USER@LINUXBOX 'mkdir ~/.ssh'
Linux to ESXi
Assuming you've already created the directory structure in ESXi to ESXi
- ssh-keygen -t rsa
- cat ~/.ssh/id_rsa.pub | ssh root@ESXi0 'cat >> /etc/ssh/keys-root/authorized_keys'
- ssh root@esxi0 "cp /.ssh/* /vmfs/volumes/Admin/Utilities/ssl/ESXi1/keys"
- ssh root@esxi0 "/sbin/auto-backup.sh"
Linux to Linux
- ssh-keygen -t rsa
- cat ~/.ssh/id_rsa.pub | ssh USER@OTHERLINUXBOX 'cat >> ~/.ssh/authorized_keys'
It is possible that ~/.ssh does not yet exist on the target machine.  If so, you'll need to create it:
- ssh USER@OTHERLINUXBOX 'mkdir ~/.ssh'
Bonus Thoughts...
I can't see any reason these instructions couldn't be used to provide passwordless SSH to a remote ESXi server with a weird port number for SSH...
& since SCP runs over SSH...
Could be used for automatically copying backups to/from an offsite server...
hhhmmm...
