csshsetup(1)csshsetup(1)NAMEcsshsetup - Simplifies configuring the Secure Shell public-key user
authentication between systems. This establishes a security domain for
the cluster. csshsetup is part of the Distributed Systems Administra‐
tion Utilities (DSAU).
SYNOPSISDESCRIPTION
The command simplifies the task of setting up ssh public-key authenti‐
cation trust relationships for a set of managed systems. The command
employs the round-robin key-exchange feature that you must use in a
Serviceguard cluster to establish an "any-member-to-any-member"ssh
trust relationship. This allows tools like , , and to be used cluster-
wide or across a set of systems with an ssh trust relationship. cre‐
ates the user files necessary to configure public key user authentica‐
tion on a Secure Shell client.
Using the round-robin () option, sets up bi-directional authentication
for all specified systems. For example, if the hostlist contains the
members of a cluster, the -r option lets any member connect using ssh
to any other member, including itself. The same is true for an arbi‐
trary list of distributed systems. Using -r greatly simplifies the
manual steps required to generate and distribute the ssh keys.
When executed, it checks for public keys, and may prompt the user for
the following information:
· The user's password on the remote host. Users are prompted
for the password for the specified user account on the remote
host because password authentication is the only authentica‐
tion available when the command is first executed.
· The ssh client may prompt for adding the key fingerprint of
the remote host.
If cannot find any public keys, the ssh-keygen command runs (the key is
saved with an empty passphrase). For additional information, see the
ssh manpage.
Following these steps, the command creates the following identification
and authorization directory and files:
· A directory called $HOME/.ssh for the user on the client
($HOME is the name of the user's home directory). All files
created by the command are located in this directory.
· The key-pair (private and public keys) files are:
· The $HOME/.ssh/id_rsa file contains the user's private
key. Only the user for which the key was created can
access this file. This file is stored on the local node.
· The $HOME/.ssh/id_rsa.pub file contains the user's public
key. The user file id_rsa.pub is copied to the public key
authentication on the server to which the user will con‐
nect. This file is copied to all remote hosts where you
want to set up an ssh trust.
· The authorized-key file is called $HOME/.ssh/autho‐
rized_keys2. It contains the names of public keys for remote
hosts from which the users can access their user accounts on
the local host. With keys exchanged in this manner, the
remote user does not need a password to access the local
account. There is an authorized-key file on each host where
you use ssh and with which you have exchanged keys.
After creating all files, the command distributes the user's public key
to the remote host using the command. With the option, the command
distributes and configures the user's public key on all specified hosts
in a round-robin or n-squared fashion.
See the ssh manpage for more information about Secure Shell user
authentication.
Options
-f hostfile
Reads a list of remote hosts specified in the hostfile, one
host per line.
If the remote host is in a different domain than the local
host, you must specify the full domain name.
If a hostname is supplied instead of a hostfile name, reads
host names from standard input, typically the command line.
-h Displays help on command options.
-k type Specifies the type of key to create. Possible values are rsa
or dsa for ssh protocol version 2. The default key type is
rsa.
-r hostfile
Configures user authentication between all hosts in a round-
robin fashion using a list of hosts in hostfile.
-v Displays verbose output.
hostname Specifies the name of a single remote host with which to
exchange keys.
SECURITY FEATURES
The rsa or dsa private key is saved with an empty passphrase. This
enables administration scripts and other applications to connect or
execute commands non-interactively without prompting the user to enter
a password or add a host fingerprint (ssh prompts the user during set‐
up). The private key is protected by the file system so only the user
can access the file. ( If you use a private key passphrase, see the
ssh manpage for more information about Secure Shell user authentication
and configuration of your user keys.) Note that the private key
passphrase breaks applications such as and , so you should use ssh-
agent. For more information on these topics, refer to the openssh web
site http://www.openssh.org.
EXAMPLES
Example showing the contents of hostfile. A fully qualified filename
with extensions is in a non-local domain.
-f hostfile Read a list of remote hosts from this file,
one host per line, where hostfile content is:
host1.company.com
host2
host3.company.com
The following example demonstrates the use of the and options. The
command configures the ssh user public key on the list of hosts listed
in the file called hostfile. In the output, a failure message starts
with the word 'Failure:', and a success message starts with the word
'Success:'.
The hostfile contains the following host names, as seen with the com‐
mand:
# cat hostfile
host06
host07.company.com
host21
host10.company.com
#
Using the command with the option to get round-robin setup.:
# csshsetup-rf hostfile
Failure: host21.company.com is unreachable
If asked, enter password and/or add fingerprint for root@host06.company.com
The authenticity of host 'host06.company.com (12.345.6.78)' can't be established.
RSA key fingerprint is c1:0e:ef:14:17:ba:9f:a7:41:56:26:09:39:c9:cd:93.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'host06.company.com,12.345.6.78' (RSA) to the list
of known hosts.
Password: enter password for the user here
If asked, enter password and/or add fingerprint for root@host07.company.com
The authenticity of host 'host07.company.com (78.901.2.341)' can't be established.
RSA key fingerprint is a5:56:50:1d:e4:24:31:28:e7:bd:f0:c0:08:b0:79:8e.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'host07.company.com,78.901.2.341' (RSA) to the list
of known hosts.
Password: enter password for the user here
If asked, enter password and/or add fingerprint for root@host10.company.com
The authenticity of host 'host10.company.com (56.789.0.12)' can't be established.
RSA key fingerprint is 65:22:fb:fa:fa:03:3d:14:16:4d:ff:39:65:3d:68:47.
Are you sure you want to continue connecting (yes/no)? no
Host key verification failed.
Failure: Unable to exchange keys with host10.company.com
Testing...
Success: host04.company.com -> host04.company.com
Success: host04.company.com -> host06.company.com
Success: host04.company.com -> host07.company.com
Success: host06.company.com -> host04.company.com
Success: host06.company.com -> host06.company.com
Success: host06.company.com -> host07.company.com
Success: host07.company.com -> host04.company.com
Success: host07.company.com -> host06.company.com
Success: host07.company.com -> host07.company.com
#
RESULT: The were two failures; the first was caused by failure to reach
a specific host, and the second was caused by a host-key verification
failure (answered "no" when asked to add fingerprint).
Failure: host21.company.com is unreachable
Failure: Unable to exchange keys with host10.company.com We were suc‐
cessful in setting up user authentication between the local host and
two other remote hosts.
A test is performed when choosing the option, and the following ques‐
tion is always asked: If asked, enter password and/or add fingerprint
for user@host.
In this example, we pass the remote hostname as an argument to the com‐
mand. The example setup exchanges ssh public keys between the local
host and the remote host specified on the command line. We perform a
quick test to see if we can use ssh in non-interactive mode. The test
was successful.
# csshsetup host09
If asked, enter password and/or add fingerprint for root@host09.company.com
The authenticity of host 'host09.company.com (01.234.5.66)' can't be established.
RSA key fingerprint is 54:96:5e:a9:e1:de:3c:46:e9:ba:9b:08:e3:c9:e9:88.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'host09.company.com,01.234.5.66' (RSA) to the list
of known hosts.
Password: enter password for the user here
#
# ssh host09 hostname
host09
#
FILES
The following files are modified or created when you use the RSA key-
type option:
$HOME/.ssh/authorized_keys2
Contains the names of the host RSA public keys that can
authenticate to this account.
$HOME/.ssh2/id_rsa
Contains the default RSA private key for the user.
$HOME/.ssh2/id_rsa.pub
Contains the default RSA public key for the user.
The following files are modified or created when you use the DSA
key-type option:
$HOME/.ssh/authorized_keys
Contains the names of the host DSA public keys that can
authenticate to this account.
$HOME/.ssh2/id_dsa
Contains the default DSA private key for the user.
$HOME/.ssh2/id_dsa.pub
Contains the default DSA public key for the user.
SEE ALSOccp(1), cexec(1), clog(1m), clog_wizard(1m), csync_wizard(1m),
cwall(1M), cuptime(1), pdsh(1), pdcp(1)csshsetup(1)