Pivotal Knowledge Base

Follow

How to use Password-free Authentication in a Linux environment using gpssh-exkeys

Environment

 Product  Version
 Pivotal Greenplum  4.3.x
 OS  RHEL 6.x

Purpose

In the Greenplum cluster, we have a tool called gpssh-exkeys to create a password-free authentication in between every two hosts. Also, in a Linux environment, sometimes we need to login to some machine without the password for convenience purpose. This article explains the fundamental principle of the password-free authentication.

Cause 

The Greenplum cluster may encounter SSH authentication error and sometimes we need to provide customers with advice on how to fix it.

Procedure

Firstly, we need to understand two important concepts - Public Key and Private Key.

The Public Key is what its name suggests - Public. It is made available to everyone via a publicly accessible repository or directory. On the other hand, the Private Key must remain confidential to its respective owner.

Because the key pair is mathematically related, whatever is encrypted with a Public Key may only be decrypted by its corresponding Private Key and vice versa.

In SSH authentication, we can connect to the host only after we get the public key of the server. That is also the reason for the error message below when we log in a server for the first time:

ssh gpadmin@172.16.242.135
The authenticity of host '172.16.242.135 (172.16.242.135)' can't be established.
RSA key fingerprint is 14:15:2d:29:8c:be:a9:60:fb:a7:62:27:ec:e9:a3:2a.
Are you sure you want to continue connecting (yes/no)?
Warning: Permanently added '172.16.242.135' (RSA) to the list of known hosts.
Last login: Fri Mar 24 02:35:48 2017 from 172.16.242.190

After we put the server’s public key into the known host list as the above prompt suggests, we can send encrypted data via SSH, and the server will use its private key to decrypt it.

You can see the where the private key and public key are situated:

-bash-4.1$ pwd
/home/gpadmin/.ssh
-bash-4.1$ ls -alh
total 32K
drwx------ 2 gpadmin gpadmin 4.0K Mar 24 02:35 .
drwxr-xr-x 9 gpadmin gpadmin 4.0K Mar 22 03:36 ..
-rw------- 1 gpadmin gpadmin  414 Mar 24 02:35 authorized_keys  === If we put the client's public key in here, we can do the password free authentication
-rw-r--r-- 1 gpadmin gpadmin    0 Mar 13 02:22 config
-rw------- 1 gpadmin gpadmin 1.7K Mar 13 02:22 id_rsa      === The Private Key
-rw-r--r-- 1 gpadmin gpadmin  414 Mar 13 02:22 id_rsa.pub  === The Public Key 
-rw-r--r-- 1 gpadmin gpadmin    0 Mar 13 02:22 iddummy.pub
-rw-r--r-- 1 gpadmin gpadmin  792 Mar 24 02:32 known_hosts === If we are using this machine to connect to a server, we need to put the machine's private key here

From the above snippet we can see that there is another important file - authorized_keys. Let’s assume that we have two machines. One is the server, the other one is the client. If we add the client’s public key into server’s authorized_keys file, and if we had added the server’s public key into the client’s known_hosts file, we can use the password-free authentication to log in to the server.

Above are the basic steps on how to achieve the password-free authentication. gpssh-exkeys does the exact same thing. Below is a code snippet where gpssh-exkeys is manipulating the files: 

    def sendLocalID(self, ID, passwd, tempDir):
        '''
        Send local ID to remote over SSH, and append to authorized_key.
        If  is specified, the authorized_keys, known_hosts, and
        id_rsa.pub files are obtained from the target host.  These files
        are placed in /

Thus, whenever there is an SSH authentication issue, we can either directly edit the authorized_keys or known_hosts files, or we can use the commands below to fix this issue.

// To remove the file in the known hosts {client side}
ssh-keygen -R // To add the enable the password free authentication by adding the client's public key into the server's authorized_keys:
[gpadmin@gpdb-sandbox .ssh]$ ssh-copy-id gpadmin@{server IP} gpadmin@'s password:xxxxxx Now try logging into the machine, with "ssh 'gpadmin@{server IP}", and check in: .ssh/authorized_keys to make sure we haven't added extra keys that you weren't expecting. [gpadmin@gpdb-sandbox .ssh]$ ssh gpadmin@{server IP} Last login: Fri Mar 24 06:30:06 2017 from {Client}

Comments

Powered by Zendesk