Passwordless SSH

What Is Passwordless SSH?

SSH is a network protocol that allows data to be exchanged using a secure channel between two networked devices. Passwordless SSH enables an identity to connect from one device to another without specifying a password. The identity can log on without a credential challenge, or it can invoke commands on the other device without a credential challenge.

Who Needs Passwordless SSH?

For a non-distributed server, passwordless SSH is not applicable.
For a distributed server, the requirements for passwordless SSH are as follows:
  • Each user that needs to start and stop servers and load and unload tables must have an account that is configured for passwordless SSH (on each machine in the cluster).
  • If you use automated loading, the service account under which the scheduled task runs must be configured for passwordless SSH (on each machine in the cluster). This is necessary to perform tasks such as starting and stopping the server and loading and unloading tables.
  • For deployments that include SAS Visual Analytics, the service account for SAS LASR Analytic Server Monitor must be configured for passwordless SSH (on each machine in the cluster). This is necessary to monitor hardware resources and processes for a distributed SAS LASR Analytic Server. This service account can be the same as the SAS installer account.

How to Set Up Passwordless SSH

You can use a point-and-click interface to generate SSH keys and configure them for passwordless SSH automatically for administrator accounts. See the SAS High-Performance Computing Management Console: User’s Guide.
Here are some tips:
  • In the SAS High-Performance Computing Management Console, be sure to select the Generate and Propagate SSH Keys option on the Create User page. This ensures that passwordless SSH is configured correctly for the account.
  • After you add user or group accounts to the machines in the cluster, you must restart the HDFS service if it is co-located. An error message such as the following indicates that a user is not recognized:
    ERROR: host02.example.com (192.168.1.240) User does not belong to  .

Generate SSH Keys Manually

The recommended method is to use the SAS High-Performance Computing Management Console to generate SSH keys (as described in the preceding topic).
If you must generate SSH keys manually (for example, for existing user IDs), use the following steps:
  1. Generate a private/public key pair on a Linux system. Enter the following command to generate the keys and avoid using a passphrase:
    ssh-keygen -t rsa -P ""
  2. After the keys are generated, if passwordless SSH is required, then add the public key to the list of authorized keys by entering this command on the command line:
    cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys
  3. Check permissions on the .ssh directory and the files in your .ssh directory. The directory must be readable and writable by you only. The id_rsa file must be readable by you only. To verify access, enter the following command, and check the results:
    ls -asl ~/.ssh
    4 drwx------ 2 datamgr datamgr 4096 Jan 23 10:27 . a
    4 drwx------ 4 datamgr datamgr 4096 Jan 12 19:09 ..
    4 -rw-r--r-- 1 datamgr datamgr  397 Jan 23 10:27 authorized_keys
    4 -rw------- 1 datamgr datamgr  1675 Jan 23 10:00 id_rsa b
    4 -rw-r--r-- 1 datamgr datamgr  397 Jan 13 10:00 id_rsa.pub 
    4 -rw-r--r-- 1 datamgr datamgr 1705 Jan 23 10:27 known_hosts
    
    a The directory permissions for the .ssh directory indicate that access is denied for all users other than the directory owner.
    b The id_rsa file is the private key. Read access and Write access are available to the file owner only.
Note: If the machines in the cluster are not configured to access the home directories for the users, create local home directories for the users. Copy the .ssh directory for each user to his or her local home directory. Make sure that the permissions are preserved.

About Passwordless SSH and Windows Clients

If you need to access a distributed SAS LASR Analytic Server from a Windows client, then you need to perform the following steps to copy your SSH keys to the Windows machine.
To copy your SSH keys to a Windows machine:
  1. Determine your Windows home directory. Enter the following command in a command window:
    echo %HOMEDRIVE%%HOMEPATH%
    The results are typically something like C:\Users\sasdemo.
  2. You can use Windows Explorer to drag-and-drop the .ssh directory from your UNIX home directory, or you can use a command like the following to copy it:
    xcopy driverLetter:\.ssh\* "%HOMEDRIVE%%HOMEPATH%\.ssh" /s /i
These steps are typically necessary for deployments that use SAS Studio on a Windows client or SAS solutions that use Windows machines for the server tier.

Troubleshooting

If access problems occur, use the following steps to help diagnose any SSH configuration errors:
  1. Impersonate the user or ask the user to perform the following command that requires passwordless SSH:
    /opt/TKGrid/bin/simsh hostname
    If each of the machines in the cluster responds with a host name, then no passwordless SSH configuration error exists.
  2. As root, log on to one of the machines in the cluster and monitor the logon access:
    tail -f /var/log/secure
  3. Review the messages in the /var/log/secure file. The following example shows that the file system access permissions for /home/sas are not set correctly:
    Mar 14 22:12:36 hostname sshd[11235]: pam_unix(sshd:session): session opened 
    for user root by (uid=0)
    Mar 14 22:12:57 hostname sshd[11266]: Authentication refused: bad ownership or 
    modes for directory /home/sas