SSH Service Accounts
On RedHat version 5 and above there is an ssh-copy-id utility that may be used; however, for lower revisions you will need to copy the following script to /usr/bin/ssh-copy-id and make it executable before following the remainder of the steps.
#!/bin/sh
# Shell script to install your identity.pub on a remote machine
# Takes the remote machine name as an argument.
# Obviously, the remote machine must accept password authentication,
# or one of the other keys in your ssh-agent, for this to work.
ID_FILE="${HOME}/.ssh/identity.pub"
if [ "-i" = "$1" ]; then
shift
# check if we have 2 parameters left, if so the first is the new ID file
if [ -n "$2" ]; then
if expr "$1" : ".*.pub" ; then
ID_FILE="$1"
else
ID_FILE="$1.pub"
fi
shift # and this should leave $1 as the target name
fi
else
if [ x$SSH_AUTH_SOCK != x ] ; then
GET_ID="$GET_ID ssh-add -L"
fi
fi
if [ -z "`eval $GET_ID`" ] && [ -r "${ID_FILE}" ] ; then
GET_ID="cat ${ID_FILE}"
fi
if [ -z "`eval $GET_ID`" ]; then
echo "$0: ERROR: No identities found" >&2
exit 1
fi
if [ "$#" -lt 1 ] || [ "$1" = "-h" ] || [ "$1" = "--help" ]; then
echo "Usage: $0 [-i [identity_file]] [user@]machine" >&2
exit 1
fi
{ eval "$GET_ID" ; } | ssh $1 "umask 077; test -d .ssh || mkdir .ssh ; cat >> .ssh/authorized_keys" || exit 1
cat <<EOF
Now try logging into the machine, with "ssh '$1'", and check in:
.ssh/authorized_keys
to make sure we haven't added extra keys that you weren't expecting.
EOF
Logon as or create the service account on all machines required:
useradd -u 199 -s /bin/false serviceacct
echo password1 | passwd --stdin servicacct
Create your DSA key pair:
ssh-keygen -t dsa
Don't enter a password, just hit Enter key three times in quick succession.
Copy your new public ID to all the servers:
logon or su to the service account and run...
ssh-copy-id -i ~/.ssh/id_dsa.pub remoteservername
For bi-directional connectivity repeat the procedure on the remote server pointing back to the original.
Posts
No comments:
Post a Comment