This page describes how to setup passwordless ssh for a Trafodion user.
Please use these commands to enable passwordless ssh access for a user ID; for example: trafodion
You need to define the authorization keys on each node on the instance. To simplify this procedure, this procedure starts from scratch; that is, it removes the ssh configuration so that new files can be created. The procedure on this page defines what you need to do to set up passwordless ssh manually:
In this procedure, you perform the following steps:
~/.ssh/id_dsa.pub file.~/.ssh/authorized_keys file.localhost key to each node's ~/.ssh/known_hosts file.NoHostAuthenticationForLocalhost on each node.The result of the above procedure should be that the content of the ~/.ssh/authorized_keys file is the same on all nodes in your instance and that the security is set up the same way. This allows you to use ssh to login in to any node from any node in the instance without having to specify a password. This is key for many scripts and support commands, which assume that passwordless ssh is working properly. For example, most support commands uses the pdsh $MY_NODES or pdsh $MY_HADOOP_NODES command for status checks.
A summary of the commands used in this procedures to help experienced users:
# Skip this step if logged in as a user that has run EsgynDB sqenv.sh, which defines NODE_LIST. # Modify the NODE_LIST content to list the nodes on which you are installing Trafodion. export NODE_LIST="node01.host.com node02.host.com node03.host.com node04.host.com node05.host.com" # Get the user ID we're doing this work for. Makes the rest of the commands cleaner. user=$(whoami) # Generate ~/.ssh/id_dsa.pub on each node in the instance for node in $NODE_LIST; do ssh $user@$node "rm -rf ~/.ssh; mkdir ~/.ssh; cd ~/.ssh; echo -e 'y\n' | ssh-keygen -t rsa -N '' -f $~/.ssh/id_rsa"; done # Populate ~/.ssh/authorized_keys file on the master node. for node in $NODE_LIST; do ssh $user@$node "cat ~/.ssh/id_dsa.pub" >> ~/.ssh/authorized_keys; done # Copy files to all nodes in the instance but the master node. my_node=$(echo $HOSTNAME | cut -d '.' -f 1) for node in $NODE_LIST; do if [ $node <> $my_node ]; then scp ~/.ssh/authorized_keys ~/.ssh/known_hosts $user@$node:~/.ssh/.; fi; done # Add localhost public key to each node's ~/.ssh/known_hosts file. for node in $NODE_LIST; do ssh $user@$node "echo localhost $(cat /etc/ssh/ssh_host_rsa_key.pub) >> ~/.ssh/known_hosts"; done # Turn on NoHostAuthenticationForLocalhost on each node. for node in $NODE_LIST; do ssh $user@$node "echo "NoHostAuthenticationForLocalhost=yes" >> ~/.ssh/config"; done # Change security of ~/.ssh directory and key files. for node in $NODE_LIST; do ssh $user@$node "chmod 755 ~/.ssh; chmod 600 ~/.ssh/authorized_keys; cd ~/.ssh; chmod 700 .."; done # Validate that passwordless ssh works. No password prompts should be seen. Try from all or some nodes in the instance. for node in $NODE_LIST; do ssh $user@$node "ls -al /etc/passwd"; done
NODE_LISTThe steps below assumes that the NODE_LIST environmental variable contains the node names onto which Trafodion should be installed. You populate this variable using one of the following methods:
Invoke the Trafodion sqenv.sh script, which is present after Trafodion has been installed.
Create NODE_LIST manually; for example:
export NODE_LIST=“node01.host.com node02.host.com node03.host.com node04.host.com node05.host.com”
~/.ssh/id_dsa.pub fileIn this step, you create the authorization key for each node in the instance. This key will be located in the ~/.ssh/id_dsa.pub file. Use the following commands for each node of the instance:
$ user=$(whoami) $ for node in $NODE_LIST; do ssh $user@$node "rm -rf ~/.ssh; mkdir ~/.ssh; cd ~/.ssh; echo -e 'y\n' | ssh-keygen -t rsa -N '' -f $~/.ssh/id_rsa"; done
~/.ssh/authorized_keys fileIn this step, you populate the ~/.ssh/authorized_keys file on master node by copying the content from each node's ~/.ssh/id_dsa.pub file.
Use the following command string to copy the content of ~/.ssh/id_dsa.pub file for each node into the ~/.ssh/authorized_keys on the master node:
$ for node in $NODE_LIST; do ssh $user@$node "cat ~/.ssh/id_dsa.pub" >> ~/.ssh/authorized_keys; done
In this step, you copy the ~/.ssh/authorized_keys and ~/.ssh/known_host files to all other nodes in the instance. Use the following commands to copy the files to all nodes in the instance ‘‘‘except’’’ the master node:
$ my_node=$(echo $HOSTNAME | cut -d '.' -f 1) $ for node in $NODE_LIST; do if [ $node <> $my_node ]; then scp ~/.ssh/authorized_keys ~/.ssh/known_hosts $user@$node:~/.ssh/.; fi; done
localhost key to each node's ~/.ssh/known_hosts fileIn this step, you add the public key for localhost to the ~/.ssh/known_hosts file
$ for node in $NODE_LIST; do ssh $user@$node "echo localhost $(cat /etc/ssh/ssh_host_rsa_key.pub) >> ~/.ssh/known_hosts"; done
NoHostAuthenticationForLocalhostIn this step, you turn the NoHostAuthenticationForLocalhost on in each node in the instance.
$ for node in $NODE_LIST; do ssh $user@$node "echo "NoHostAuthenticationForLocalhost=yes" >> ~/.ssh/config"; done
ssh AccessIn this step, you change the security of the ~/.ssh/authorized_keys file and the ~/.ssh directory so that passwordless ssh will be allowed. Use the following commands for each node of the instance:
$ for node in $NODE_LIST; do ssh $user@$node "chmod 755 ~/.ssh; chmod 600 ~/.ssh/authorized_keys; cd ~/.ssh; chmod 700 .."; done
Test by starting a remote shell on the different nodes in the instance — no password should be necessary. Be sure to check ssh access to the node itself as well. Use the following command string to check that you can reach each node in the instance without having to provide a password:
$ for node in $NODE_LIST; do ssh $user@$node "ls -al /etc/passwd"; done
Try the validation command string from all or some nodes in the instance.
Passwordless ssh isn‘t considered secure in some installations. We don’t have a solution for this situation yet.