Table of Contents Previous Next


4 Configuration : 4.3 Configuring the Database Server : 4.3.1 Authorizing SSH/SCP Access without a Password

The client/server SSH and SCP connections must not prompt for a password when establishing the connection. A password-less connection uses authorized public keys. An authorized public key is the public key of client user account that is to be allowed to connect to the target server. Each client user account generates a public key, which must then be added to the target user account’s authorized public keys list on the target server.
Specific examples are provided in the EDB Postgres Backup and Recovery Guide.
In the SSH server daemon configuration file, /etc/ssh/sshd_config, check the following parameter is set to yes and is not commented:
Note: For any SSH or SCP errors, examine the following log file:
The target server to which a password-less SSH or SCP connection is to be made must contain an authorized public keys file. The file is named authorized_keys and is located under the USER_HOME/.ssh directory where USER_HOME is the home directory of the user account on the target server that is to be used to establish the remote session.
Note: The public key should be appended onto the end of any existing authorized_keys file. Any existing authorized_keys file should not be replaced in its entirety.
Step 1 On the client system, log in as the user account that will be initiating the SSH or SCP connection.
Step 2 Change to the user account’s home directory and check if there is an existing .ssh subdirectory. If not, create one as follows:
chown user .ssh
chgrp usergroup .ssh
Where user is the user account name and usergroup is the associated group of the user.
Step 3 Generate the public key file with the following command. Accept all prompted defaults and do not specify a passphrase when prompted for one.
The public key file named id_rsa.pub is created in the .ssh subdirectory.
Step 4 Create a copy of file id_rsa.pub on the target server.
scp ~/.ssh/id_rsa.pub target_user@host_address:tmp.pub
Step 5 Log into the target server as target_user.
ssh target_user@host_address
Step 6 Change to the target user account’s home directory and check if there is an existing .ssh subdirectory. If not, create one as shown in Step 2.
Step 7 Append the temporary, client’s public key file, tmp.pub, to the authorized keys file named authorized_keys. If an existing authorized keys file does not exist, create a new file, but do not completely replace any existing authorized keys file.
Make sure the authorized_keys file is only accessible by the file owner and not by groups or other users. If the authorized_keys file does not have the required permission setting (600) or it was newly created, change the file permissions as follows:
Step 8 Delete the temporary public key file, tmp.pub.
Now, when logged into the client system as user there should be no prompt for a password when commands such as the following are given:
ssh target_user@host_address
scp file_name target_user@host_address:directory_path
scp target_user@host_address:directory_path/file file_name
In this case, the SSH client in which the public key file (id_rsa.pub) is generated with the ssh-keygen –t rsa command is the database server. The public key file is generated by the user account running the database server.
The target SSH server in which the public key file is to be appended onto the ~/.ssh/authorized_keys file is the BART host. The authorized_keys file is in the BART user account’s home directory.
Note: If backups are to be taken from a given database server host, but restored to a different database server host, the password-less SSH/SCP connections must be configured from the BART host to the database server host from which the backup is to be taken as well as from the BART host to the database server host to which the backup is to be restored.
In this case, the SSH client in which the public key file (id_rsa.pub) is generated with the ssh-keygen –t rsa command is the BART host. The public key file is generated by the BART user account.
The target SSH server in which the public key file is to be appended onto the ~/.ssh/authorized_keys file is the database server. The authorized_keys file is in the home directory of the user account owning the directory where the database backup is to be restored.
See Section 5.2 of the EDB Postgres Backup and Recovery Guide for examples of each scenario.

4 Configuration : 4.3 Configuring the Database Server : 4.3.1 Authorizing SSH/SCP Access without a Password

Table of Contents Previous Next