SSH for multiple server management

From Newroco Tech Docs
Revision as of 08:26, 17 July 2017 by Chris.puttick (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigationJump to search

Introduction

Using key authentication on SSH is a great way to provide an extra layer of security for your servers. With some additional configuration changes it also becomes a great way to make managing multiple servers much more convenient.

Prerequisite

  • that you already have created a key pair and/or already have one you use with your servers, and with your client's servers.

The first step to making SSH key authentication facilitate multiple server management is to enable agent forwarding. Agent forwarding allows you to connect to your servers via other servers. Imagine you are tracking an issue with a modular system. You SSH to the server you think is most likely to be the cause of the issue, and having checked a few bits there, want to tweak settings on a one or two related servers to check on other possible contributing factors. You can exit the first server, ssh to the next, then reconnect to the first, or launch a new console and end up juggling lots of consoles, etc.. Or you can use agent forwarding.

Agent forwarding allows you to SSH from any server with which you have an already established SSH connection to any other server, without the high risk approach of installing your private key on your servers (don't do this...). Enabling forwarding instructs your PC and servers to forward the challenge sent by the next server you are connecting on to you for unlocking with your private key, allowing you to hop between servers without effort. It is particularly useful in firewall scenarios where there is a single “gateway” SSH service which you have to connect to before connecting to the servers inside the firewall.

To enable Agent forwarding in Linux (Unix/Mac OSX should be similar) edit your user's SSH config:

$ vi ~/.ssh/config 

(other text editors are available)

where ~ is a bash shortcut for “my home folder”.

Add the following lines:

Host *
ForwardAgent yes

Then simply run ssh-add on a console before using SSH to connect to your servers:

In Windows (PuTTY):

To enable agent forwarding in PuTTY (the open source SSH client application widely used by those server administrators limited to running Windows on their PC) you need to install the Pageant add-on. You can download and install Pageant (and PuTTY!) from

http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html

Having installed Pageant somewhere suitable and added a shortcut somewhere convenient, launch PuTTY, open up your SSH server profile and expand the SSH menu item. Go to the Auth sub menu and for "Authentication parameters", make sure both "Allow agent forwarding" and "Allow attempted changes of the username in SSH-2" are ticked. Click on the browse button to select the file that contains your private key. Save your changes. Note that while those options will be available in PuTTY without Pageant installed and running, they won't have any effect.

Launch Pageant and you'll notice a PC with a hat icon in your tray bar. Right click and you'll see the contextual menu. Use "Add key" to add your private key in .ppk format. You'll be asked to provide the passphrase for that key. After you add the key, when you connect to a machine that asks for that key, you don't need to type the password again and agent forwarding will work.

Another (Linux/Unix) trick you can use to ease the demands of managing many servers is to preset the login name for any given server you need to connect to – and then create a nickname for that host to make it so you can just

$ ssh myhostnickname

and have the connection made.

To do this you need to edit your user's ssh config again:

$ vi ~/.ssh/config 

and add lines like the following for every host you want to access easily:

Host myhostnickname
User mysshusername

then open your hosts file:

$ sudo vi /etc/hosts 

and add matching entries e.g.

host.ip.add.ress myhostnickname 

If you have multiple projects on the go and so end up with 5 or 6 groups of servers you need to access, it's useful to create some order in your nicknames. I find prepending the server name (as used by that server internally) or the service it provides with the project name helps a lot. You end up with groups of server nicknames that all start with the project name – and with the right bash config you get auto-complete on those names from the hosts file. So then you can type

$ ssh project1-

Hit Tab twice and get

$ ssh project1-
project1-dbcore project1-dbshard project1-auth project1-mainenduserui

type the “m”, press Tab and then tap enter and be connected to project1-mainenduserui without having to remember nor type its full nickname.