3.12 ssh

 <  Day Day Up  >  

After default installation of any SuSE or Red Hat system, the only way to access it remotely is by using ssh. The telnet port is closed by default and we strongly recommend, for security reasons, that you do not change it.

If you are accessing the system from another Linux box, you will usually have the openssh client installed.

For AIX 5L, you can install it from:


For AIX 4.3, you can install it from:


On Windows, you can use one of three ssh clients , for example, putty:


For the same security reason, we did not want to use .rhosts file and rsh. In order to be able to run unattended remote commands or file copies, we need to set up ssh for passwordless login. This can be achieved through ssh key exchange.

In a test environment, this can be done in both ways, but in a production environment, we recommend that you enable login from a central management server to the nodes only, not from every node to every node.

3.12.1 Exchanging ssh keys

In this example, we enable passwordless login from serverA (lpar7) to serverB (lpar1). This requires two steps: generating a public key on serverB, and placing this key in .ssh/authorized_keys2 file on serverA.

In order to generate a public key on serverB, we run following command:

 lpar7:~# ssh-keygen -t rsa -b 1024 -N "" 

As a result, two files are created in /root/.ssh directory: id_rsa and id_rsa.pub.

In the next step, we copy the file to the serverA:

 lpar7:~# scp id_rsa.pub lpar1:/tmp 

We add its content to the /root/.ssh/authorized_keys2:

 lpar1:~ # cat /tmp/id_rsa.pub >> /root/.ssh/authorized_keys2 

Now we can go back to serverA (lpar7) and try ssh login to serverB (lpar1). If everything is correct, we will not be prompted for a password:

 lpar7:~/.ssh # ssh lpar1 Last login: Mon Nov  3 18:17:41 2003 from lpar7 lpar1:~ # 

If your public key authentication does not work, then look in /var/log/messages for the reason and check the permissions (0655 for public key and 600 for id.rsa). A world readable home directory will prevent this authentication from working, as well.


If you are going to implement CSM, then do not exchange root keys manually; CSM will take care of this. You can exchange keys for other users.

 <  Day Day Up  >  

Quintero - Deploying Linux on IBM E-Server Pseries Clusters
Quintero - Deploying Linux on IBM E-Server Pseries Clusters
Year: 2003
Pages: 108

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net