SSH without password between two servers

This howto describes setting up SSH without password between two servers so that the two servers share the same SSH keys and can log into each other. This makes life convenient when using two servers together as a team for various scenarios including:
  • High Availability takeover
  • Active-Active clustering
  • Cross-server tasking
  • Monitoring
This guide can also be used to establish one-way trust.

Key-based authentication

We will use key-based authentication to establish trust between our servers. It is vital that you protect the private key of the server. By sharing the same key between the servers, the servers not only trust each other but themselves. This is useful for scripted management tasks.
For this example, the main server is called primary and the secondary server is called backup.

Creating the key-pair

If you already have a key pair on a server, use that pair or overwrite it. You will need a passwordless key-pair. If your current key-pair has a password, you will need to overwrite it for this howto to be useful. If you are happy with your current key-pair, skip this step. On the first server run the following to create a key pair:
ssh-keygen -t rsa
Press <Enter> at the fields to accept the defaults and to leave the password blank. You will get a response like this:
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): 
Created directory '/root/.ssh'.
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
3a:54:d7:77:0b:c7:5b:cb:08:1d:f3:77:30:87:1c:88 root@server2.example.com
The key's randomart image is:
+--[ RSA 2048]----+
|           . =+o.|
|          E.o B+ |
|        . ...o.+=|
|       . .  ..=.B|
|      . S    . = |
|     . .         |
|      o          |
|       .         |
|                 |
+-----------------+
This command creates a public and a private key pair in the /root/.ssh/ directory:
  • id_rsa.pub
  • id_rsa

Authorizing the server to trust itself

Now that we have a keypair, we can authorize the server to trust itself. This may seem odd but we can script commands that reference the server itself as well as the other server in the pair. Moreover, we can replicate this trust to the other server and this makes distribution of the trust simple. Run the following:
cat /root/.ssh/id_rsa.pub >> /root/.ssh/authorized_keys
To validate this works, ssh to the local server using the hostname you specified in the /etc/hosts file:
ssh root@primary
After accepting the fingerprint, it should log you on without specifying a password.

Copying trust to the target server

This next step assumes that the trust is limited between the servers you are trusting. Take care using this step if you already have certificates and trust set up on your box. You may need to manually input the entries as the following take a sledgehammer approach for convenience. We will send all of these files to the other server and for this well will have to supply the password, but just this time. Copy the files to the other server by running the following:
scp -r /root/.ssh* backup:/root/
Your output will look similar to this:
root@backup's password: 
authorized_keys                               100%  406     0.4KB/s   00:00    
known_hosts                                   100%  805     0.8KB/s   00:00    
id_rsa.pub                                    100%  406     0.4KB/s   00:00    
id_rsa                                        100% 1675     1.6KB/s   00:00
Now test out connecting via SSH to each other server. For example:
ssh backup
Then:
ssh primary

Finishing up

Both servers should be able to log into one another and also they can issue commands. For example:
hostname && ssh backup hostname
would give the result:
[root@server1 ~]# hostname && ssh backup hostname
server1.example.com
server2.example.com
This is useful for scripting because you can use one server to execute commands on the other server and you can copy and sync files between the servers securely using certificated authentication.

Leave a Reply

Your email address will not be published. Required fields are marked *

This website uses cookies to give you the best experience. Most big webs do it also. Agree by clicking the 'Accept' button.