To configure a SSH trust relationship providing authentication via RSA public keys is necessary to follow the next steps:
- Generate a Key Pair
- Upload your Public Key to remote server
- Checking the authorized_keys file in remote server
- Checking the authentication via RSA
In my lab I’m currently using my Ansible master server like the origin server and my Ansible node1 like the destination server.
Ansible master: 192.168.152.135 Ansible node1: 192.168.152.136
Before the configuration
If we try to connect via ssh from Ansible master to node1 with the remote user, we will need to introduce the password in the prompt:
[remote@ansible]$ ssh email@example.com firstname.lastname@example.org's password: Last login: Wed Jul 24 09:40:44 2019 from 192.168.152.135 [remote@node1 ~]$
Starting the configuration:
1. Generate a Key Pair
We have to use ssh-keygen command with -b flag.
The -b flag instructs ssh-keygen to increase the number of bits used to generate the key pair, and is suggested for additional security.
Important!: keep in mind that if you execute ssh-keygen command, it will overwrite an existing RSA key pair, potentially locking you out of other systems.
[remote@ansible]$ ssh-keygen -b 4096
Then press Enter to use the default names id_rsa and id_rsa.pub in the /home/your_username/.ssh directory before entering your passphrase.
While creating the key pair, we will be given the option to encrypt the private key with a passphrase. This means that the key pair cannot be used without entering the passphrase (unless we save that passphrase to our local machine’s keychain manager). Is possible leave this field blank, that is what we will do in the example:
Generating public/private rsa key pair. Enter file in which to save the key (/home/remote/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/remote/.ssh/id_rsa. Your public key has been saved in /home/remote/.ssh/id_rsa.pub. The key fingerprint is: SHA256:zllyF+t37cWgJAkzn38Gec1Jsp7SNtvm3Ws0Rzip9Hz email@example.com The key's randomart image is: +---[RSA 4096]----+ | | | + . . | | = o +=o| | = o.A.=| | S .=o=.B | | o . ++*=oB| | . * o oo=++| | o + ....++| | o. +o+| +----[SHA256]-----+
2. Upload your Public Key to remote server
We can do this step just copying the public key(/home/remote/.ssh/id_rsa.pub) to the remote server over authorized_keys file located in /home/remote/.ssh/.
Or using the specific utility for that task, called ssh-copy-id. The utility ssh-copy-id can copy a SSH public key to a remote server over SSH. And we can use it executing the following commands:
[remote@ansible]$ ssh-copy-id firstname.lastname@example.org
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/home/remote/.ssh/id_rsa.pub" The authenticity of host '192.168.152.136 (192.168.152.136)' can't be established. ECDSA key fingerprint is SHA256:lYyLFG9lhEsTmhoYB5zEdKVS1+jflyMO/ymyNKaNxRo. ECDSA key fingerprint is MD5:21:59:d7:13:36:2f:0c:ba:10:37:79:70:f6:da:78:b5. Are you sure you want to continue connecting (yes/no)? yes /usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed /usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys email@example.com's password: Number of key(s) added: 1 Now try logging into the machine, with: "ssh 'firstname.lastname@example.org'" and check to make sure that only the key(s) you wanted were added.
There is a method if we don’t want to introduce the password for each server. Follow the steps with this article:
3. Checking the authorized_keys file in remote server
We already copied the public key from Ansible master to node1 in the path /home/remote/.ssh/ with a different file name, authorized_keys.
And now we can see the new file in node1:
[remote@node1]$ cd /home/remote/.ssh/ [remote@node1 .ssh]$ cat authorized_keys ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCWBB+y0J8o5xYqsSfv6jc2fIu1UPW8YWEBOnAHG1Wnrp2tZEjaAysFPV+UNaRTL9kEclpOJ4L1zGMVTL5Va9dqVNVgH4kqw2sTnYTqmIXURBcvxi5nwVo+m5o6Hh96KSTJy5dD/EmnMkkBznMoUCwdld0a4c8jZ1chWUTzae/3/yQG5rfYpE7Ht0MJ2/vaqHpPOlaEKfXUjOTCY/u8TFtDt89w5/t8RivdGH2KSNZ5PtAVCI7uCzcEE7e1bhQjroba37htDNwJ7wGQgCJYJWd1Vy5pLe3aKNrhnjC3M5ZXb7YI1TgH4zRzkHKUH1dTIQ6cOsUE4LNhyn9AwCqLzf/1 email@example.com
4. Checking the authentication via RSA
Now, if we try again the ssh conexion, we will connect without provide any password, because we are providing authentication via RSA public keys:
[remote@ansible]$ ssh firstname.lastname@example.org Last login: Wed Jul 24 06:53:40 2019 from 192.168.152.135 [remote@node1 ~]$