On the target host, create the account:
# useradd -m web-server-backup
You can verify this account has no password by the prescence of the "!" in the second field in /etc/shadow:
# grep web-server-backup /etc/shadow
web-server-backup:!:14171:0:99999:7:::
Now, back on the system that will be accessing the account, create a ssh key pair. Since this will be running unattended from cron, I will leave the password empty (i.e. just hit return):
# ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Created directory '/root/.ssh'.
Enter passphrase (empty for no passphrase): just hit return
Enter same passphrase again: just hit return
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
d3:ac:99:5f:9c:30:69:98:ad:ab:e9:e5:ef:34:38:bf root@web-server
Copy the public key you just created into your clipboard:
# cat ~/.ssh/id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEArh6BSw0F1Li/Oh1GbqF6uTv34P4e0Ow7NMco962aHe070vGjlyqIE3CrOU9d3/ztoL7QgalegWj7WfWQ44I8Jz0WGTzLcssYhvluaHzBp5z8QKVvmSpj39f43kAYP0b2GdUwGZL9AER72MRZSxmaybzGoVK12bPr6t18gaAWl9c3b1Ng8MFbp7vvNptfb6NwikfOaL4vTqRfNuVWv6vxaw3xfE+8iuI8ubckUCqrNfayVmfgCmxNS5o9GauHSAZdXhH1xDkZ0ikjo4SAjYz83/eyNdrwef6GTQj+FXwsaiGSpz9B0IOWt613+MhI/uoXRTO2jNzJstBcQa19GbX0Hw== root@web-server
Now on the target account, create ~/.ssh:and copy the public key into ~/.ssh/authorized_keys:
# sudo -u web-server-backup -i
$ mkdir ~/.ssh
$ chmod 700 ~/.ssh
$ cat > ~/.ssh/authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEArh6BSw0F1Li/Oh1GbqF6uTv34P4e0Ow7NMco962aHe070vGjlyqIE3CrOU9d3/ztoL7QgalegWj7WfWQ44I8Jz0WGTzLcssYhvluaHzBp5z8QKVvmSpj39f43kAYP0b2GdUwGZL9AER72MRZSxmaybzGoVK12bPr6t18gaAWl9c3b1Ng8MFbp7vvNptfb6NwikfOaL4vTqRfNuVWv6vxaw3xfE+8iuI8ubckUCqrNfayVmfgCmxNS5o9GauHSAZdXhH1xDkZ0ikjo4SAjYz83/eyNdrwef6GTQj+FXwsaiGSpz9B0IOWt613+MhI/uoXRTO2jNzJstBcQa19GbX0Hw== root@web-server
$ chmod 600 ~/.ssh/authorized_keys
Now back on the accessing account, you should be able to access the target account without a password. The first time you do this you will be prompted to trust the host key of the target system, so you should do this once to make this process without prompt.
# ssh -l web-server-backup file-server date
The authenticity of host 'file-server (192.168.1.12)' can't be established.
RSA key fingerprint is 4c:7a:f0:ba:0f:60:45:4b:b8:f1:cc:17:88:59:74:f0.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'file-server,192.168.1.12' (RSA) to the list of known hosts.
Sun Oct 19 13:06:52 CDT 2008
Now it should work seamlessly:
# ssh -l web-server-backup file-server date
Sun Oct 19 13:08:19 CDT 2008
Posts
No comments:
Post a Comment