Fedora Cluster‎ > ‎

SSH access

A stock installation is not useful enough for our purposes. We will follow now a set of steps on each of the machines, with the aim of improving the security of the system.

On the master

Enter the server through the console (Ctrl-Alt-F2) by introducing as user root and the password that  you already created.

We start by disabling password access on 'deutsch', which will be the root of our system. For that we edit the file /etc/ssh/sshd_config and add a line
PasswordAuthentication no
There should be no other lines starting with "PasswordAuthentication". The location of this line is pretty much irrelevant, but there is a comment in the file that indicates where it could go.

At this point we have to restart the secure login daemon to make this change valid, which we do from the command line. We do so by restarting the sshd service
# service sshd restart
From now on, nobody can enter the computer, except using the keyboard+screen or setting up public key authentication. Before implementing the same change on other computers, we have to create such keys in the master. Enter
Generating public/private dsa key pair.
Enter file in which to save the key (/root/.ssh/id_dsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /root/.ssh/id_dsa.
Your public key has been saved in /root/.ssh/id_dsa.pub.
at the command line and answer all questions by simply pressing <Enter>. You will see the following files being created
[root@deutsch ~]# ls -la .ssh/
total 24
drwx------. 2 root root 4096 Jul 25 23:43 .
dr-xr-x---. 7 root root 4096 Jul 28 11:34 ..
-rw-------. 1 root root 1675 Jul 25 23:43 id_dsa
-rw-r--r--. 1 root root  406 Jul 25 23:43 id_dsa.pub
With this we can start to connect this computer to the other ones.

On the slaves

We will continue working on 'deutsch', to implement the changes in the other servers. As an example, I will work through the details of how to harden 'toffoli'. We start by entering toffoli with the root password that we already created and produce new keys
[root@deutsch ~]# ssh toffoli ssh-keygen -t dsa
The authenticity of host 'toffoli (161.111.23.136)' can't be established.
ECDSA key fingerprint is 55:0b:b7:3f:45:22:95:79:bc:13:13:23:37:ca:1c:6c.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'toffoli,161.111.23.136' (ECDSA) to the list of known hosts.
jjgarcia@toffoli's password: *****
Enter file in which to save the key (/root/.ssh/id_dsa.pub)
...
Now we copy the key from 'deutsch', so that we can automatically log-in
[root@deutsch ~]# cat .ssh/id_rsa.pub | ssh toffoli "cat - > .ssh/authorized_keys"
root@toffoli's password: ******
At this point we should be able to log-in without password. We use this to update the SSH configuration.
[root@deutsch ~]# rsync -rauvz /etc/ssh/sshd_config toffoli:/etc/ssh/
sending incremental file list
sshd_config

sent 864 bytes  received 77 bytes  1,882.00 bytes/sec
total size is 4,546  speedup is 4.83
and we restart the server
[root@deutsch ~]# ssh toffoli service sshd restart