2. Home
  4. Docs
  6. Knowledgebase and Tutorials
  8. Security

Security

Passwordless SSH in Encrypted Home Directory

ClusterControl required passwordless SSH (key authentication) to deploy and manage the database cluster automatically. In some environments, mostly Ubuntu, sudo users have their home directory encrypted. When you are having this, you will face the following scenarios:

  • First SSH login will require a password, even though you have copied the public key to the remote host authorized_keys
  • If you run another SSH session, while the first SSH session still active, you will able to authenticate without a password and the key authentication is successful.

Explanation

Encrypted home directories aren’t decrypted until the login is successful, and your SSH keys are stored in your home directory. The first SSH connection you make will require a password. While the second and afterward connections will no longer need passwords since the SSH service is able to read the authorized_key (inside your homedir) in a decrypted environment.

Workaround

There are several workarounds to overcome this issue which have been discussed on the Internet. As for us, we are recommending this way:

1. Before starting the deployment process, generate an RSA key in the Controller host:

$ ssh-keygen -t rsa

2. Copy the public key to all nodes:

$ ssh-copy-id -i ~/.ssh/id_rsa root@<host ip address>

** Repeat the step by replacing <host IP address> for every host, including controller host)

 

3. Login to a remote host via SSH. Create a new directory outside your encrypted homedir. We will put the authorized_keys inside this directory. The directory name must be the same name as the SSH login:

$ mkdir /etc/ssh/ubuntu

Note: here, in this example, we use user name ‘ubuntu’, and the home dir for this user is ‘/home/ubuntu‘, but remember to change this to what you use.

4. Copy authorized_keys into the new directory:

$ sudo cp /home/ubuntu/.ssh/authorized_keys /etc/ssh/ubuntu

5. Change the permission and ownership:

$ sudo chown -Rf ubuntu.ubuntu /etc/ssh/ubuntu
$ sudo chmod 644 /etc/ssh/ubuntu/authorized_keys

6. Add the following line into the SSH config file located at /etc/ssh/sshd_config:

AuthorizedKeysFile /etc/ssh/%u/authorized_keys

7. Restart SSH:

$ sudo service ssh restart

** Repeat steps 3 to 7 on every host.

 

You can now start the deployment process of ClusterControl. Details explanation can be referred at Ubuntu page: https://help.ubuntu.com/community/SSH/OpenSSH/Keys

Was this article helpful to you? Yes No