Difference between revisions of "Configure SSH connection between servers"

From Kolmisoft Wiki
Jump to navigationJump to search
 
(14 intermediate revisions by 5 users not shown)
Line 1: Line 1:
Manual configuration:
Manual configuration:


On GUI server:
On the GUI server:


  ifconfig <and mark IP of GUI server>
  # Make an SSH key set special for Passenger Apache
mkdir -p /var/www/.ssh/


  rm /var/www/.ssh/id_rsa
  # Generate an RSA key with NO passcode
  rm /var/www/.ssh/id_rsa.pub
  ssh-keygen -f /var/www/.ssh/id_rsa -q -t rsa -N ""
su apache
ssh-keygen -t rsa
<Press ENTER 3 times>
exit
chmod 700 /var/www/.ssh
cp /var/www/.ssh/id_rsa.pub /var/www/html


# Make Apache the owner of the keys
chown -R apache:apache /var/www/.ssh/


On APP (Remote) server:
# Share the public key with the servers
cat /var/www/.ssh/id_rsa.pub | ssh USER@SERVER_IP 'mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys && chmod -R 700 ~/.ssh'
# Repeat this step for all the remote servers you want your GUI to connect to (change USER and SERVER_IP correspondingly, USER=root for GUI->FS connection)


# move old pub file (backup)
cd /root
mv id_rsa.pub id_rsa.pb.old
#  download pub key from GUI server
wget http://<GUI_SERVER_IP>/id_rsa.pub
 
mkdir /root/.ssh
touch /root/.ssh/authorized_keys
chmod 600 /root/.ssh/authorized_keys
chmod 700 /root/.ssh
# include pub key into authorize_keys file
cat /root/id_rsa.pub >> /root/.ssh/authorized_keys
rm -rf /root/id_rsa.pub
ifconfig <and mark IP of APP server>


If you are using Centos 7, add these additional commands:
  cp -a /var/www/.ssh/ /usr/share/httpd/
  echo "StrictHostKeyChecking no" >> /usr/share/httpd/.ssh/config


On GUI server:


su apache
 
ssh -o StrictHostKeyChecking=no root@<IP of APP server> -f "exit"
If keys are configured, but GUI still cannot connect, check gui debug log, if it shows similar error like this:
  # should see: Warning: Permanently added '<IP of APP server>' (RSA) to the list of known hosts.
  Retrieve PCAP error: fingerprint 32:0f:3e:0e:3e:5f:04:be:a9:09:e3:82:28:44:89:64 does not match for "1.2.3.4"
 
#test
you need to remove 1.2.3.4 from /var/www/.ssh/known_hosts and/or /usr/share/httpd/.ssh/known_hosts
ssh root@<IP of APP server>
 
ifconfig
If you are using different user to connect to server(not root), you might need to change it in Billing - Servers
#should see that you are on APP server
# log out
exit
rm -fr /var/www/html/id_rsa.pub

Latest revision as of 20:13, 2 March 2023

Manual configuration:

On the GUI server:

# Make an SSH key set special for Passenger Apache
mkdir -p /var/www/.ssh/
# Generate an RSA key with NO passcode
ssh-keygen -f /var/www/.ssh/id_rsa -q -t rsa -N ""
# Make Apache the owner of the keys
chown -R apache:apache /var/www/.ssh/
# Share the public key with the servers
cat /var/www/.ssh/id_rsa.pub | ssh USER@SERVER_IP 'mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys && chmod -R 700 ~/.ssh'
# Repeat this step for all the remote servers you want your GUI to connect to (change USER and SERVER_IP correspondingly, USER=root for GUI->FS connection)


If you are using Centos 7, add these additional commands:

 cp -a /var/www/.ssh/ /usr/share/httpd/
 echo "StrictHostKeyChecking no" >> /usr/share/httpd/.ssh/config


If keys are configured, but GUI still cannot connect, check gui debug log, if it shows similar error like this:

Retrieve PCAP error: fingerprint 32:0f:3e:0e:3e:5f:04:be:a9:09:e3:82:28:44:89:64 does not match for "1.2.3.4"

you need to remove 1.2.3.4 from /var/www/.ssh/known_hosts and/or /usr/share/httpd/.ssh/known_hosts

If you are using different user to connect to server(not root), you might need to change it in Billing - Servers