Creating Shared Host Keys

ByMike Moffit

This is an article aimed at mostly system administrators and people that use SSH on a daily basis to connect to remote clients and servers. I myself have been wanting to set this up for quite some time and now I’ve found the time and need too! I currently have multiple servers each running several various services. I plan on setting it up so that when one server makes a backup of a few databases it can automatically connect to another server and upload the backups there for safe keeping. While it sounds semi-complicated, especially when trying to get the servers talk to each other without any user interaction, it’s not all that bad!

In order to get the servers to talk to each other without having me type in usernames and passwords I’ll be creating special “keys” that allow them to talk without user intervention!

In our example I have Server1 which makes the actual backups of my databases, on Server2 I have a nice RAID setup so I can keep my backups safe and secure! Server2 is where I want to put Server1’s backup files. Also the user I am using for an example on Server1 is jimmy and on Server2 it is jimmy2. Hopefully it’s not too confusing!

On Server1 I will open up a Terminal and type in:

ssh-keygen -t rsa

It will ask you where you want to save the key (usually something like /Users/your-username/.ssh/) – just hit enter here. It will then ask you to input a passphrase, just hit here and again when it asks you to ‘enter in the same passphrase’. It will then spit out something like:

Your identification has been saved in /Users/jimmy/.ssh/id_rsa.
Your public key has been saved in /Users/jimmy/.ssh/id_rsa.pub.
The key fingerprint is:
88:99:60:ee:eb:e5:ac:1f:fb:fe:ae:83:5c:3c:c4:0b jimmy@mycomputer

Perfect!

Now we need to put this special key onto the machine you want to remotely connect too, in this case Server2.

What I did was use rsync:

rsync -avz /Users/jimmy/.ssh/id_rsa.pub jimmy@ip-address-of-Server2:/Users/jimmy2/.ssh/

This bit:

rsync -avz /Users/jimmy/.ssh/id_rsa.pub

Will sync the file—id_rsa.pub from Server1 to the user account of ‘jimmy2’ on Server2. It will put that file into:

/Users/jimmy2/.ssh/

So now you can SSH into Server2, you will still be prompted for a password. Go into the .ssh directory for the user you synced the id_rsa.pub file too, in this example the user is jimmy2:

cd ~/.ssh/

Now type:

mv id_rsa.pub authorized_keys

You can even copy and paste that command. That command will just rename the id_rsa.pub file to ‘authorized_keys’.

Now if all went well you can SSH from Server1 to Server2 and not be prompted for a password! This is a really excellent technique for moving files such as backups or when making mirror(s) of a website and not needing to input the password to the server(s) each time!

A note of warning though! If you remember when we were making our special key it prompted to input a passphrase, the passphrase makes your key more secure, but it will prompt you for that passphrase every time you want to connect defeating the purpose of this exercise. You should also keep track of which servers/clients can connect to each other without a password.

It’s also possible to get Server2 to go into Server1 without requiring a password. Follow the same steps to create the key, I renamed it to id_rsa2.pub and then used rsync to move it to Server1. Then I just renamed it authorized_keys using the above ‘mv’ command.

Good luck!

I used this website to help me.

Similar Posts

  • Getting File Information

    This little trick is something I just discovered this morning. If you select a file that you’ve downloaded from the web and hit…

  • Changing The MOTD

    GEEKY WARNING! This article is not for the faint of heart. I’ll be using terminal and the “dreaded” command line. I just thought…

  • Instantly Backup Your Address Book

    I typically use iSync and .Mac to backup and sync my Address Book across multiple Macs, and on my Treo cell phone. However,…

  • De-authorize your iTunes Account Before Hardware Repair or Sale

    Pretty much everyone has downloaded media from the iTunes store, but not too many of us know just how iTunes keeps track of computer authorization. Every device on the internet has at least two unique identifiers: a MAC address and an IP address.

    MAC is an acronym for Media Access Control. Many believe that Mac, the abbreviation for Macintosh, should be written with capital letters – this is incorrect. Likewise, iPod – not iPOD or IPOD; iMac – not iMAC or IMAC; etc. Network interfaces have MAC addresses; Macintoshes can be called Macs.

    Since your MAC address is completely unique, it’s the ideal way for iTunes to know that you’re authorized to play purchased content on any given machines. Trouble is, your ethernet port is part of the main logic board, which requires replacement in some repairs. With a new main logic board comes a new MAC address, which confuses iTunes and some other, generally high-end, software.

    You’re allowed to authorize up to five computers at any one time to play your purchased content, but replacing your logic board changes the MAC address. If you didn’t de-authorize before repair, you’ve lost 20% of your available authorizations. I made this mistake a few years ago when I had to replace the logic board in a Mac Mini hooked up to my television, and when I sold my iBook. I also lost an authorization when my two-week-old PowerBook G4 flew off the roof of my car at highway speed. Thankfully, iTunes allows you to de-authorize all computers on your account once annually.

    I only have one Machine these days, a 17-inch MacBook Pro, so this hasn’t been a problem of late for me. It’s a common question asked our technical support team, and a good fix to file in your troubleshooting arsenal.

    The full details from Apple can be found here: http://support.apple.com/kb/HT1420