{"id":178,"date":"2010-04-02T13:10:36","date_gmt":"2010-04-02T12:10:36","guid":{"rendered":"http:\/\/www.nax.cz\/2010\/04\/02\/password-less-ssh-for-scripting\/"},"modified":"2010-04-02T13:10:36","modified_gmt":"2010-04-02T12:10:36","slug":"password-less-ssh-for-scripting","status":"publish","type":"post","link":"https:\/\/nax.cz\/?p=178","title":{"rendered":"password-less ssh for scripting"},"content":{"rendered":"<p><strong>Task<\/strong>: add a local user to about 1000 machines.<\/p>\n<p><strong>Pre-requisits<\/strong>: there are private\/public key authentication setup already.<\/p>\n<p>The trick was to prevent ssh to ask a password in any circumstances.<\/p>\n<p>First I prepared a very simple script:<\/p>\n<pre>\n#!\/bin\/sh\ngetent passwd user > \/dev\/null\nUSERCHECK=$?\ngetent passwd 6211 > \/dev\/null\nIDCHECK=$?\n\nif [ $USERCHECK -eq 2 ] && [ $IDCHECK -eq 2 ]; then\n   echo 'user::6211:10:Test Account:\/usr\/local\/home\/user:\/bin\/sh' \\\n         >> \/etc\/passwd\n   echo 'user:dkadDSKJhfakj38LDJ:6211::::::' \\\n         >> \/etc\/shadow\n   mkdir -p \/usr\/local\/home\/user\/.ssh\n   echo 'ssh-dss (some public key here) user@host' \\\n         >> \/usr\/local\/home\/user\/.ssh\/authorized_keys\n   chown -R user \/usr\/local\/home\/user\n   grep '[^#]PubkeyAuthentication no' \/etc\/ssh\/sshd_config \\\n         2>&1 > \/dev\/null\n   if [ $? != 0 ] ; then\n\techo PubkeyAuthentication might be disallowed on this system! \n        echo Please check it manually in \/etc\/ssh\/sshd_config\n   fi\nfi\n<\/pre>\n<p>The reason I create home in \/usr\/local\/home and not in \/home is, that some machines can have \/home filesystem auto-mounted by NFS.<\/p>\n<p>And now the difficult part. How to avoid machines asking for a password?<\/p>\n<p>One approach would be to use either expect language (see my <a href=\"http:\/\/www.nax.cz\/2010\/03\/30\/automatically-get-a-version-of-your-sun-hw-service-processor\/\">previous post about scripting in expect<\/a>) or to use dedicated tool like <a href=\"http:\/\/www.debianadmin.com\/sshpass-non-interactive-ssh-password-authentication.html\">sshpass<\/a>.<\/p>\n<p>But I tough there must be some more simple way to do that. And I found <a href=\"http:\/\/superuser.com\/questions\/103722\/ssh-completly-disabling-password-authentication\">the solution<\/a>. Key is to use ssh option &#8222;BatchMode=yes&#8220;.<\/p>\n<p>The script then looks like this:<\/p>\n<pre>\n#!\/bin\/bash\nfor IP in `cat ips.list`\ndo \n        scp -o StrictHostKeyChecking=no \\\n             -o BatchMode=yes \\\n             add_user.sh root@$IP: \n        if [ $? == 0 ] ; then\n                ssh -o StrictHostKeyChecking=no \\\n                     -o BatchMode=yes \\\n                     root@$IP 'sh .\/add_user.sh' \n        fi\ndone\n<\/pre>\n","protected":false},"excerpt":{"rendered":"<p>Task: add a local user to about 1000 machines. Pre-requisits: there are private\/public key authentication setup already. The trick was to prevent ssh to ask a password in any circumstances. First I prepared a very simple script: #!\/bin\/sh getent passwd user > \/dev\/null USERCHECK=$? getent passwd 6211 > \/dev\/null IDCHECK=$? if [ $USERCHECK -eq 2 [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[35],"tags":[],"class_list":["post-178","post","type-post","status-publish","format-standard","hentry","category-linux"],"_links":{"self":[{"href":"https:\/\/nax.cz\/index.php?rest_route=\/wp\/v2\/posts\/178","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/nax.cz\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/nax.cz\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/nax.cz\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/nax.cz\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=178"}],"version-history":[{"count":0,"href":"https:\/\/nax.cz\/index.php?rest_route=\/wp\/v2\/posts\/178\/revisions"}],"wp:attachment":[{"href":"https:\/\/nax.cz\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=178"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/nax.cz\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=178"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/nax.cz\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=178"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}