Configuring Remote Authentication for the Installer

Some Installer operations, such as installing, upgrading, or verifying services, require the Installer to log in (authenticate) to every cluster node with root-user access (or sudoer access to root). The Installer lets you specify one of the following methods to log in:

• SSH Password authentication
• SSH Private key authentication

The SSH Password login method is the default method. To use this method:

1. In the Login Method field of the Configure Remote Authentication section, select SSH – Password as the login method:
   
   
2. In the SSH Username field, specify root or a user with sudo privileges. The user must exist and have the same password on every node in the cluster.
3. If you plan to perform the installation with an ssh ID of root, go to step 4. If you plan to perform the installation with an ssh ID other than root, follow the instructions in If You Specify a User Other Than root. Then continue to step 4.
4. Enter the SSH Password for the ssh user, and re-enter the password to verify it.
5. In the SSH Port field, specify a port number if your installation uses an ssh port other than the default port (22).
6. Click Next to advance through the remaining Installer screens.

On every node in the cluster, create a file named <your_login_ID> in the /etc/sudoers.d directory. It doesn't matter what the file is named as long as the file is unique in the directory. Typically, the file takes the name of your logon ID. The file must contain the following entry:

<your_login_ID> ALL=(ALL) NOPASSWD: ALL
Defaults: <your_login_ID> !requiretty

This step is required only for an ssh ID other than root.

If you decide not to use the SSH Password method, you can use the SSH Private Key login method. The private key method is more secure because:

• You do not need to provide a password to the Installer.
• Authentication is performed using an encrypted private key.

Before using the Installer:

1. If you already have an ssh key pair for the login user, go to step 3.
2. If you don’t already have an ssh key pair for the login user, use any node to generate a key pair that can be distributed to all the other nodes. Use a utility such as ssh-keygen to create the ssh key pair. For example, while logged on as root or a user that has sudo access to root, run this command:

   ssh-keygen -t rsa -N "" -f ~/.ssh/<filename>

   The utility creates a private key named <filename> and a public key named <filename>.pub and stores the files in ~/.ssh, where ~ refers to the user’s home directory. Here is an example of the ssh-keygen command:

   ssh-keygen -t rsa -N "" -f ~/.ssh/mykey
   Generating public/private rsa key pair.
   Your identification has been saved in /home/user/.ssh/mykey
   Your public key has been saved in /home/user/.ssh/mykey.pub
   The key fingerprint is:
   SHA256:Sg+nEojf/3idE0pCdUATwzffAvOD8WKcD9BwaYIO2TE user@install_node
   The key's randomart image is:
   +---[RSA 3072]----+
   |     oE=B=..     |
   |    o o.=+@      |
   |     o . B @ .   |
   | . .  o   B * .  |
   |. . ..o S. + o   |
   | . . o.*. . .    |
   |  . o oo.o o     |
   |     o .o +      |
   |      oo.  .     |
   +----[SHA256]-----+
   user@install_node:~$ cd .ssh
   user@install_node:~/.ssh$ ls
   known_hosts  mykey  mykey.pub

3. On the node, where you created the key pair, check the permissions and ownership of both the public- and private-key files. HPE recommends that the login user owns the private-key and public-key files. The private key should be read/writable only by the login user and have a permission of 600. The public key should be read/writable by the login user but also world-readable and have a permission of 644:

   cd ~/.ssh
   chmod 600 mykey
   chmod 644 mykey.pub

4. Copy the public-key file (<filename>.pub) to every node in the cluster. As you copy the public-key file to each node, ensure that the file retains the same permissions and ownership described in step 3.
5. Create and distribute the authorization file:
   1. On any node, create an authorization file named authorized_keys (unless the file already exists). The authorization file will contain the content of the public-key file. When you create the authorization file, make sure that the file has a permission of 600, and the login user owns the file.
   2. Append the public-key information to the authorization file by using a command such as the following:

      cat <filename>.pub >> ~/.ssh/authorized_keys

   3. Copy the authorization file to every node as ~/.ssh/authorized_keys, where ~ refers to the user's home directory. Note that if any nodes already have an authorization file, do not overwrite the file. In that case, repeat step 5b to append the public-key information to the authorization file. Or use the command described in the following note to append the information.
   NOTE

   With newer versions of OpenSSH, it is possible to combine steps 3, 4, and 5 into a single command that:

   • Uses ssh to securely copy the public key file.
   • Creates a file in ~/.ssh/authorized_keys by default and appends the public key to that file.
   • Sets the default permission (chmod 600) on the ~/.ssh/authorized_keys file.

   For example:

   ssh-copy-id -i ~ssh/mykey.pub user@node1

   But this command has not been tested on all distributions.
6. Copy the private key file to the workstation where you will use a browser to run the Installer. The file must be present on the workstation so that when you click the Browse button in the Installer Private Key field, you can browse to and select the file.
7. If you plan to perform the installation with an ssh ID of root, go to step 8. If you plan to perform the installation with an ssh ID other than root, follow the instructions in If You Specify a User Other Than root. Then continue with step 8.
8. Verify that you can use ssh and the key pair to access all the nodes without being asked for a password.
   1. For example, execute this command from the Installer node:

      ssh -i ~/.ssh/private_key <nodename>

      Running the command should enable you to log in to the node and display a prompt (without requiring a pasword) if these conditions are true:
      • The Installer node has the private and public key files in ~/.ssh.
      • The openssh_server is installed and running on each cluster node.

      If you are prompted for a password, check the file permissions. If ssh access does not work for a node, the Installer will return an error when it tries to authenticate to the node.

   2. Also, when you check access to each node, make sure that you can successfully run a command that requires root access without being asked for a password. For example:

      ssh -t <nodename> "sudo ls /root"

When you run the Installer:

1. In the Login Method field of the Configure Remote Authentication section, select SSH – Private key as the login method:
2. In the SSH Username field, specify root or a login user with sudo privileges. The user must exist and have the same password on every node in the cluster.
   
   Specifying a non-root user for the SSH Username requires the creation of a file in the /etc/sudoers.d directory, as described If You Specify a User Other Than root.
3. In the Private Key field, browse to select the private ssh key file that can authenticate the ssh user on all nodes.
4. In the SSH Port field, specify a port number if your installation uses an ssh port other than the default port (22).
5. Click Next to advance through the remaining Installer screens.