2.4.2010

password-less ssh for scripting

Filed under: Linux — nax @ 13:10

Task: add a local user to about 1000 machines.

Pre-requisits: there are private/public key authentication setup already.

The trick was to prevent ssh to ask a password in any circumstances.

First I prepared a very simple script:

#!/bin/sh
getent passwd user > /dev/null
USERCHECK=$?
getent passwd 6211 > /dev/null
IDCHECK=$?

if [ $USERCHECK -eq 2 ] && [ $IDCHECK -eq 2 ]; then
   echo 'user::6211:10:Test Account:/usr/local/home/user:/bin/sh' \
         >> /etc/passwd
   echo 'user:dkadDSKJhfakj38LDJ:6211::::::' \
         >> /etc/shadow
   mkdir -p /usr/local/home/user/.ssh
   echo 'ssh-dss (some public key here) user@host' \
         >> /usr/local/home/user/.ssh/authorized_keys
   chown -R user /usr/local/home/user
   grep '[^#]PubkeyAuthentication no' /etc/ssh/sshd_config \
         2>&1 > /dev/null
   if [ $? != 0 ] ; then
	echo PubkeyAuthentication might be disallowed on this system! 
        echo Please check it manually in /etc/ssh/sshd_config
   fi
fi

The reason I create home in /usr/local/home and not in /home is, that some machines can have /home filesystem auto-mounted by NFS.

And now the difficult part. How to avoid machines asking for a password?

One approach would be to use either expect language (see my previous post about scripting in expect) or to use dedicated tool like sshpass.

But I tough there must be some more simple way to do that. And I found the solution. Key is to use ssh option “BatchMode=yes”.

The script then looks like this:

#!/bin/bash
for IP in `cat ips.list`
do 
        scp -o StrictHostKeyChecking=no \
             -o BatchMode=yes \
             add_user.sh root@$IP: 
        if [ $? == 0 ] ; then
                ssh -o StrictHostKeyChecking=no \
                     -o BatchMode=yes \
                     root@$IP 'sh ./add_user.sh' 
        fi
done

Comments are closed.

Powered by WordPress