PSSH is a utility to perform SSH from one server to multiple client nodes in parallel and perform certain task as defined. By default PSSH has -A argument using which the tool will prompt for password which will be used to connect to all the target host. But we can also configure PSSH to use SSH public key authentication which can also be passwordless.

How to perform SSH public key authentication (passwordless) with PSSH in Linux

-A
--askpass
         Prompt for a password and pass it to ssh.  The password may be used for either to unlock a key or  for  password
         authentication.   The  password  is transferred in a fairly secure manner (e.g., it will not show up in argument
         lists).  However, be aware that a root user on your system could potentially intercept the password.

 

Configure SSH public key authentication

In the below steps I will configure SSH public key authentication between 3 nodes for root user. The first step would be to generate private and public key. Here node1 will be my master server.

[root@node1 ~]# ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:WDIWm4i8/UhU/zjiKZrmGVcg5PZj5mzXT4aZd37Gnbs root@node1.example.com
The key's randomart image is:
+---[RSA 2048]----+
|  .   o          |
| + . o =         |
|  * + * o        |
| . * o = o       |
|  . B + S .      |
|   * * + =       |
|  . B = = + .. ..|
|  .B o   = o  +..|
| o=       . .o Eo|
+----[SHA256]-----+

Next copy the public key to your client host and append it to the authorized_keys of the user. We use ssh-copy-id because it copies the public key and also appends the public key to the authorized_keys.

[root@node1 ~]# ssh-copy-id -i /root/.ssh/id_rsa.pub root@node2
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@node2's password:

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh 'root@node2'"
and check to make sure that only the key(s) you wanted were added.

[root@node1 ~]# ssh-copy-id -i /root/.ssh/id_rsa.pub root@node3
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
Password:

Number of key(s) added: 1
Now try logging into the machine, with: "ssh 'node3'"
and check to make sure that only the key(s) you wanted were added.

 

Create ssh authenticating agent (ssh-agent)

ssh-agent is a program to hold private keys used for public key authentication (RSA, DSA, ECDSA, Ed25519). ssh-agent is usually started in the beginning of an X-session or a login session, and all other windows or programs are started as clients to the ssh-agent program.

[root@master ~]# eval `ssh-agent` ssh-add /root/.ssh/id_rsa
Agent pid 4696
Enter passphrase for /root/.ssh/id_rsa:
Identity added: /root/.ssh/id_rsa (/root/.ssh/id_rsa)

Verify the process status

[root@node1 ~]# ps -ef | grep ssh-agent
root      4696     1  0 21:32 ?        00:00:00 ssh-agent
root      4699  4004  0 21:32 pts/0    00:00:00 grep --color=auto ssh-agent

 

Install PSSH

You can get PSSH rpm from EPEL repository

[root@master ~]# rpm -Uvh https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
Retrieving https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
Preparing...                          ################################# [100%]
Updating / installing...
   1:epel-release-7-11                ################################# [100%]

Next you can install PSSH using yum

[root@node1 ~]# yum install pssh

 

Perform parallel SSH (PSSH)

Now we are all setup and we can execute PSSH without the need of giving any password. Additionally I am using some more SSHD options with PSSH

[root@node1 ~]# pssh -i -H "node2 node3" -l root -x "-o StrictHostKeyChecking=no -o GSSAPIAuthentication=no -o PreferredAuthentications=publickey -o PubkeyAuthentication=yes" hostname
[1] 23:07:10 [SUCCESS] node3
node3.example.com
[2] 23:07:10 [SUCCESS] node2
node2.example.com

As you see I did not use “-A” and yet the PSSH tool was able to connect to all the provided host without prompting for any password.

 

Lastly I hope the steps from the article to configure SSH public key authentication using PSSH on Linux was helpful. So, let me know your suggestions and feedback using the comment section.

 

Leave a Reply

Your email address will not be published. Required fields are marked *