ClusterControl required passwordless SSH (key authentication) to deploy and manage the database cluster automatically. In some environments, mostly Ubuntu, sudo users have their home directory encrypted. When you are having this, you will facing following scenarios:
- First SSH login will required password, even though you have copied the public key to the remote host authorized_keys
- If you run another SSH session, while the first SSH session still active, you will able to authenticate without password and the key authentication is successful.
Explanation
Encrypted home directories aren’t decrypted until the login is successful, and your SSH keys are stored in your home directory. The first SSH connection you make will require a password. While the second and afterwards connections, will no longer need password since the SSH service is able to read the authorized_key (inside your homedir) in decrypted environment.
Workaround
There are several workarounds to overcome this issue which have been discussed in Internet. As for us, we are recommending this way:
1. Before starting the deployment process, generate a RSA key in Controller host:
$ ssh-keygen -t rsa
2. Copy the public key to all nodes:
$ ssh-copy-id -i ~/.ssh/id_rsa root@<host ip address>
** Repeat the step by replacing <host ip address> for every host, including controller host)
3. Login to remote host via SSH. Create a new directory outside your encrypted homedir. We will put the authorized_keys inside this directory. The directory name must be the same name as the SSH login:
$ mkdir /etc/ssh/ubuntu
Note: here, in this example, we use user name 'ubuntu', and the home dir for this user is '/home/ubuntu', but remember to change this to what you use.
4. Copy authorized_keys into the new directory:
$ sudo cp /home/ubuntu/.ssh/authorized_keys /etc/ssh/ubuntu
5. Change the permission and ownership:
$ sudo chown -Rf ubuntu.ubuntu /etc/ssh/ubuntu
$ sudo chmod 644 /etc/ssh/ubuntu/authorized_keys
6. Add following line into SSH config file located at /etc/ssh/sshd_config:
AuthorizedKeysFile /etc/ssh/%u/authorized_keys
7. Restart SSH:
$ sudo service ssh restart
** Repeat step 3 to 7 on every host.
You can now start the deployment process of ClusterControl. Details explanation can be refer at Ubuntu page: https://help.ubuntu.com/community/SSH/OpenSSH/Keys
Comments
2 comments
It's unfortunate that you left out how to get the ssh login to automatically mount your home dir
Derek Broughton (2 Your later. :D): After doing all the steps above, one would log-in and add the following to ~/.profile
Please sign in to leave a comment.