Configuring OpenSSH on RedHat 7.x for passwordless login from master to slave nodes

Note: This is for an installation where all the nodes are already configured and their host keys are already created. If this is not the case, you will need to modify the instructions appropriately (for each node created, install its host key and add that resulting key to ssh_known_hosts).

For non-root users:




    

  1. SSH_KNOWN_HOSTS key file (on master and slaves)
    
Put all RSA public keys in /etc/ssh/ssh_known_hosts on
all nodes & servers.  Entries will have the following
configuration:

    admin,admin.io,192.168.0.1 ssh-rsa <RSA key>
    alpha,alpha.io,192.168.0.2 ssh-rsa <RSA key>
    node0,node0.io,192.168.0.10 ssh-rsa <RSA key>
    etc...


  2. SSH client configuration file (on master)
    
Add following stanza to /etc/ssh/ssh_config on all nodes
& servers (NB: you MUST put this BEFORE any more general
entries which might match your node hostnames, such as
"Host *"):

    #---BEGIN---
    Host node*
      HostbasedAuthentication yes
      PreferredAuthentications hostbased,publickey,password
      Protocol 2
    # ---END---


  3. Legal banner (optional) (on master)
    
Add to /etc/ssh/banner on all servers:

    #---BEGIN---


    WARNING

    Unauthorized access prohibited and will be punishable
    to the full extent of the law.

    WARNING


    #---END---


  4. SHOSTS.EQUIV SSHD server file (on slave)
    
Add to /etc/ssh/shosts.equiv on all nodes, on login, and
io servers (NOT on admin!) the following (note, this should
be a list of servers):

    #---BEGIN---
    io1           (if necessary)
    io2           (ibid.)
    admin
    alpha
    #---END---


  5. SSHD server configuration file (on slave)
    
Modify /etc/ssh/sshd_config on all nodes & servers:

    Protocol 2
    HostbasedAuthentication yes
    Banner /etc/ssh/banner

(Ignore the Banner line if you didn't make a legal banner file)


  6. Troubleshooting
    
Having problems with passwordless logins for non-root users?
Try running sshd -d on the node to get more verbose logging, and
ssh -v -v -v on the master as well.  The node's /var/log/messages
and /var/log/secure might give you some other hints as to what
is missing.





For root user:


    ssh_keygen -t rsa -N '' -f ~root/.ssh/id_rsa

    bpsh -a mkdir ~root/.ssh

    bpcp ~root/.ssh/id_rsa all:~root/.ssh/authorized_keys2

    ** note, the above is not yet supported syntax for bpcp
    ** it's short for bpcp f1 0:f2 ; bpcp f1 1:f2 ; etc...