2

I have N hosts where can I do passwordless login via ssh to user root.

For those machines I like to add a ssh-pub-key to authorized_keys of user postgres.

Goal: I want passwordless login to user postgres, too.

AFAIK the tool ssh-copy-id does not help here, since I want the action "add ssh-pub-key to user postgres" to be passwordless.

How to solve this?

guettli
  • 3,591
  • 17
  • 72
  • 123
  • Why does `ssh-copy-id` not help? `ssh-copy-id postgres@` shoudl work, right? – Eric Renouf Jun 06 '16 at 14:26
  • @EricRenouf I updated the question: "since I want the action "add ssh-pub-key to user postgres" to be passwordless." – guettli Jun 06 '16 at 14:39
  • `postgres` OS user is created automatically when installing PostgreSQL, and is created without password. When you run `ssh-copy-id postgres@` it prompts you for a password... for a user that doesn't have one. – EAmez Nov 28 '19 at 12:13
  • @EAmez I know, that's why I asked the question. – guettli Nov 29 '19 at 08:41
  • @guettli, my answer was for @eric-renouf because if user is created w/o password, you can't use it when prompted for one with `ssh-copy-id` – EAmez Nov 29 '19 at 11:06
  • In fact, I was having the same problem, and I've ended up using the solution that suggests to connect as root and copy authorized_keys file to postgres user. As I'm testing in development environment, I'm the owner of root user :D – EAmez Nov 29 '19 at 11:08

3 Answers3

1

Well, if you can login passwordlessly as root you could do something like this I guess:

scp pub_key root@<host>:
ssh root@<host> 'mkdir -p ~postgres/.ssh; cat pub_key >> ~postgres/.ssh/authorized_keys; chown -R postgres.postgres ~postgres/.ssh; chmod 644 ~postgres/.ssh/authorized_keys; chmod 700 ~postgres/.ssh; rm -f pub_key'

which will first copy the public key (again) to the remote host, then add that file to the authorized_keys of the postgres user and make sure it has the right permissions. It'll also make sure the postgres/.ssh directory exists and has the right ownership/permissions

Eric Renouf
  • 939
  • 8
  • 19
1

There're lots of similar ways to (do) this:

ssh root@SomeHost 'tar cpBf - .ssh/authorized_keys | sudo -iu postgres tar xpBf -'

in fact, this very command copies the whole root's authorized keys to postgres' user, but usually there's no problem with that since root's access is always superior and it means that anyone with root's access can gain access to postgres' account anyways.

poige
  • 9,448
  • 2
  • 25
  • 52
  • This would clobber an existing `authorized_keys` for `postgres` though, right? If there is one that is. Also, the `-f -` in the `tar` commands are not usually necessary since the default is to use `stdout`/`stdin` if you don't use `-f` anyway – Eric Renouf Jun 06 '16 at 17:06
  • It would clobber it, indeed. ) If you want clearer solution, it's quite close to invoking 'ansible-playbook' I'd say anyway. ;) – poige Jun 06 '16 at 18:08
0

You could do something like:

for f in list_of_servers; do ssh root@${f} "mkdir -p ~postgres/.ssh; echo $KEY >> ~postgres/.ssh/authorized_keys; chown -R postgres:postgres ~postgres/.ssh; chmod 400 ~postgres/.ssh/authorized_keys; chmod 700 ~postgres/.ssh"; done

or if you have these machines in automation using something like Puppet or Salt, this would be trivial.

Edd
  • 386
  • 2
  • 8