Setting up SSH Trust Between Two Servers
This howto describes setting up SSH trust between two servers so that the two servers share the same SSH keys and can log into each other. This makes life convenient when using two servers together as a team for various scenarios including:
- High Availability takeover
- Active-Active clustering
- Cross-server tasking
- Monitoring
This guide can also be used to establish one-way trust.
Key-based authentication
We will use key-based authentication to establish trust between our servers. It is vital that you protect the private key of the server. By sharing the same key between the servers, the servers not only trust each other but themselves. This is useful for scripted management tasks.
Creating the key-pair
If you already have a key pair on a server, use that pair or overwrite it. You will need a passwordless key-pair. If your current key-pair has a password, you will need to overwrite it for this howto to be useful. If you are happy with your current key-pair, skip this step. On the first server run the following to create a key pair:
ssh-keygen -t rsa
Press
Generating public/private rsa key pair. Enter file in which to save the key (/root/.ssh/id_rsa): Created directory '/root/.ssh'. Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /root/.ssh/id_rsa. Your public key has been saved in /root/.ssh/id_rsa.pub. The key fingerprint is: 3a:54:d7:77:0b:c7:5b:cb:08:1d:f3:77:30:87:1c:88 [email protected] The key's randomart image is: +--[ RSA 2048]----+ | . =+o.| | E.o B+ | | . ...o.+=| | . . ..=.B| | . S . = | | . . | | o | | . | | | +-----------------+
This command creates a public and a private key pair in the /root/.ssh/ directory:
- id_rsa.pub
- id_rsa
Authorizing the server to trust itself
Now that we have a keypair, we can authorize the server to trust itself. This may seem odd but we can script commands that reference the server itself as well as the other server in the pair. Moreover, we can replicate this trust to the other server and this makes distribution of the trust simple. Run the following:
cat /root/.ssh/id_rsa.pub >> /root/.ssh/authorized_keys
To validate this works, ssh to the local server using the hostname you specified in the /etc/hosts file:
ssh root@primary
After accepting the fingerprint, it should log you on without specifying a password.
Copying trust to the target server
This next step assumes that the trust is limited between the servers you are trusting. Take care using this step if you already have certificates and trust set up on your box. You may need to manually input the entries as the following take a sledgehammer approach for convenience.
We will send all of these files to the other server and for this well will have to supply the password, but just this time. Copy the files to the other server by running the following:
scp -r /root/.ssh* backup:/root/
Your output will look similar to this:
root@backup's password: authorized_keys 100% 406 0.4KB/s 00:00 known_hosts 100% 805 0.8KB/s 00:00 id_rsa.pub 100% 406 0.4KB/s 00:00 id_rsa 100% 1675 1.6KB/s 00:00
Now test out connecting via SSH to each other server. For example:
ssh backup
Then:
ssh primary
Finishing up
Both servers should be able to log into one another and also they can issue commands. For example:
hostname && ssh backup hostname
would give the result:
[root@server1 ~]# hostname && ssh backup hostname server1.example.com server2.example.com
This is useful for scripting because you can use one server to execute commands on the other server and you can copy and sync files between the servers securely using certificated authentication.