SSH Login Without Password Using ssh-keygen & ssh-copy-id

You can login to a remote Linux server without entering password in 3 simple steps using ssky-keygen and ssh-copy-id as explained in this article.

ssh-keygen creates the public and private keys. ssh-copy-id copies the local-host’s public key to the remote-host’s authorized_keys file. ssh-copy-id also assigns proper permission to the remote-host’s home, ~/.ssh, and ~/.ssh/authorized_keys.

This article also explains 3 minor annoyances of using ssh-copy-id and how to use ssh-copy-id along with ssh-agent.

Step 1: Create public and private keys using ssh-key-gen on local-host

jsmith@local-host$ [Note: You are on local-host here]

jsmith@local-host$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/jsmith/.ssh/id_rsa):[Enter key]
Enter passphrase (empty for no passphrase): [Press enter key]
Enter same passphrase again: [Pess enter key]
Your identification has been saved in /home/jsmith/.ssh/id_rsa.
Your public key has been saved in /home/jsmith/.ssh/id_rsa.pub.
The key fingerprint is:
33:b3:fe:af:95:95:18:11:31:d5:de:96:2f:f2:35:f9 jsmith@local-host

Step 2: Copy the public key to remote-host using ssh-copy-id

jsmith@local-host$ ssh-copy-id -i ~/.ssh/id_rsa.pub remote-host
jsmith@remote-host's password:
Now try logging into the machine, with "ssh 'remote-host'", and check in:

.ssh/authorized_keys

to make sure we haven't added extra keys that you weren't expecting.

Note: ssh-copy-id appends the keys to the remote-host’s .ssh/authorized_key.

Step 3: Login to remote-host without entering the password

jsmith@local-host$ ssh remote-host
Last login: Sun Nov 16 17:22:33 2008 from 192.168.1.2
[Note: SSH did not ask for password.]

jsmith@remote-host$ [Note: You are on remote-host here]

The above 3 simple steps should get the job done in most cases.

We also discussed earlier in detail about performing SSH and SCP from openSSH to openSSHwithout entering password.

If you are using SSH2, we discussed earlier about performing SSH and SCP without password from SSH2 to SSH2 , from OpenSSH to SSH2 and from SSH2 to OpenSSH.

Using ssh-copy-id along with the ssh-add/ssh-agent

When no value is passed for the option -i and If ~/.ssh/identity.pub is not available, ssh-copy-idwill display the following error message.

jsmith@local-host$ ssh-copy-id -i remote-host
/usr/bin/ssh-copy-id: ERROR: No identities found

If you have loaded keys to the ssh-agent using the ssh-add, then ssh-copy-id will get the keys from the ssh-agent to copy to the remote-host. i.e, it copies the keys provided by ssh-add -Lcommand to the remote-host, when you don’t pass option -i to the ssh-copy-id.

jsmith@local-host$ ssh-agent $SHELL

jsmith@local-host$ ssh-add -L
The agent has no identities.

jsmith@local-host$ ssh-add
Identity added: /home/jsmith/.ssh/id_rsa (/home/jsmith/.ssh/id_rsa)

jsmith@local-host$ ssh-add -L
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAsJIEILxftj8aSxMa3d8t6JvM79DyBV
aHrtPhTYpq7kIEMUNzApnyxsHpH1tQ/Ow== /home/jsmith/.ssh/id_rsa

jsmith@local-host$ ssh-copy-id -i remote-host
jsmith@remote-host's password:
Now try logging into the machine, with "ssh 'remote-host'", and check in:

.ssh/authorized_keys

to make sure we haven't added extra keys that you weren't expecting.
[Note: This has added the key displayed by ssh-add -L]

Three Minor Annoyances of ssh-copy-id

Following are few minor annoyances of the ssh-copy-id.

1. Default public key: ssh-copy-id uses ~/.ssh/identity.pub as the default public key file (i.e when no value is passed to option -i). Instead, I wish it uses id_dsa.pub, or id_rsa.pub, or identity.pub as default keys. i.e If any one of them exist, it should copy that to the remote-host. If two or three of them exist, it should copy identity.pub as default.
2. The agent has no identities: When the ssh-agent is running and the ssh-add -L returns “The agent has no identities” (i.e no keys are added to the ssh-agent), the ssh-copy-id will still copy the message “The agent has no identities” to the remote-host’s authorized_keys entry.
3. Duplicate entry in authorized_keys: I wish ssh-copy-id validates duplicate entry on the remote-host’s authorized_keys. If you execute ssh-copy-id multiple times on the local-host, it will keep appending the same key on the remote-host’s authorized_keys file without checking for duplicates. Even with duplicate entries everything works as expected. But, I would like to have my authorized_keys file clutter free.

Repair corrupt RPM database in linux

Sometimes RPM databases become corrupt. You will no longer be able to install/upgrade/remove programs using YUM or RPM command. Even RPM quey simply gets hung. 
This is the case when you need to repair RPM databases. To repair do the following:

cp -rp /var/lib/rpm{,`data +%F`.bk}

This command is to take a backup of  ' /var/lib/rpm' directory

rm -f /var/lib/rpm/__db*

This command clears the RPM database. Then enter the following command,

rpm -vv –rebuilddb

This command rebuild database in in verbose mode so that you see the process. Now your RPM database is perfect.

You can just check following command to confirm this.

rpm -qa

Understanding VMSTAT Output - Explained on Linux

vmstat is a nice tool, to analyze the Linux / UNIX server performance.

procs -----------memory---------- ---swap-- -----io---- --system-- -----cpu------
 r  b        swpd   free         buff  cache          si   so    bi    bo   in    cs   us sy id wa st
 0  0 1183588 1361312 234324 451696    0    0     2    17    0    2     0  0 100  0  0
 0  0 1183588 1361064 234324 451700    0    0     0     8 1014  449  0  0 99  0  0
 0  0 1183588 1361064 234324 451704    0    0     0     8 1012  457  0  0 100  0  0
 0  0 1183588 1361064 234336 451700    0    0     0    62 1016  463  0  0 100  0  0
 0  0 1183588 1361064 234344 451704    0    0     0    16 1014  499  0  0 100  0  0

 
Proc: 
-------
r: How many processes are waiting for CPU time.
b: Wait Queue - Process which are waiting for I/O (disk, network, user 
    input,etc..) 


Memory: 
-----------
swpd: shows how many blocks are swapped out to disk (paged). Total Virtual  
          memory usage. 
            
Note: you can see the swap area configured in server using "cat proc/swaps"


free: Idle Memory 
buff: Memory used as buffers, like before/after I/O operations
cache: Memory used as cache by the Operating System


Swap: 
---------
si: How many blocks per second the operating system is swapping in. i.e 
    Memory swapped in from the disk (Read from swap area to Memory)
so: How many blocks per second the operating system is swaped Out. i.e 
     Memory swapped to the disk (Written to swap area and cleared from 
     Memory)


In Ideal condition, We like to see si and so at 0 most of the time, and we definitely don’t like to see more than 10 blocks per second.


IO: 
------
bi: Blocks received from block device - Read (like a hard disk) 
bo: Blocks sent to a block device - Write


System: 
-------------
in: The number of interrupts per second, including the clock. 
cs: The number of context switches per second. 


CPU: 
--------
us: percentage of cpu used for running non-kernel code. (user time, including 
     nice time) 
sy: percentage of cpu used for running kernel code. (system time - network, IO 
     interrupts, etc) 
id: cpu idle time in percentage.
wa: percentage of time spent by cpu for waiting to IO.




If you used to monitor this data, you can understand how is your server doing during peak usage times. 


Note: the memory, swap, and I/O statistics are in blocks, not in bytes. In Linux, blocks are usually 1,024 bytes (1 KB).

extend logical volume online in Linux

To extend a logical volume, expand the volume group if necessary, and then use following steps:

Either specify the final size of the logical volume:

lvextend --size <size> /dev/<vgname>/<lvname>

or specify how much to expand the logical volume:

lvextend --size +<additional _size> /dev/<vgname>/<lvname>

Instead of specifying the size or amount of space to add in gigabytes, it is also possible to use the -l <num_of_le> to provide the number of logical extents

After extending the logical volume, the filesystem on it must be expanded as well.

If it is an ext3 filesystem (default filesystem for Red Hat Enterprise Linux), it can be expanded while it is still mounted (also known as online).

To do so, execute the following as root:

resize2fs /dev/<vgname>/<lvname>

SSH Tunneling

SSH tunneling or also known as port forwarding is a way of forwarding normally insecure TCP traffic through SSH. Common ports for example POP3,SMTP,HTTP and FTP can be easily tunneled using SSH.

SSH tunneling is also sometimes used to bypass firewalls where certain ports are blocked.

The figure below represents the network setup at my workplace where the only port available to use is SSH port 22. By implementing portwarding over ssh I am able to port forward Oracle traffic over port 22 to my Oracle DB database running on my private VM with host only networking enabled.

sudo: sorry, you must have a tty to run sudo

It took me a while to find out, why this backup script would not start. Finally, i found this error message: "sudo: sorry, you must have a tty to run sudo". The sudo call is required to execute "clustat" and find out, which machine is the current master.

sudo is configured to execute "clustat" without password and works fine on the command line - so what's wrong here?

The solution is easy: some distributions enable the setting "requiretty". This looks like:

Defaults requiretty

in visudo. After commenting out this setting (you must be root for doing this), my cronjob started without any trouble.