SSHing between EC2 instances without having to provide key

I am trying to enable SSHing from one EC2 instance to another without a key.

$ ssh ubuntu@slave gives me a permsission denied (public key)

Whereas $ ssh -i aws-key.pem ubuntu@slave works correctly as expected.

Since I want to enable ssh less logging, I did the following

1) Generated a key in the master instance like

 $ ssh-keygen -t dsa -P '' -f ~/.ssh/id_dsa_master_to_slave

2) Added that key to the list of authorized keys of the same master instance

 $ cat ~/.ssh/id_dsa_master_to_slave.pub >> ~/.ssh/authorized_keys

3) SCPed the public key file to the slave instance.

 $ scp -i aws_key.pem /home/ubuntu/.ssh/id_dsa_master_to_slave.pub  ubuntu@slave:~/

4) Added the SCP-ed file to the list of authorized keys in the slave instance as well.

 $ cat id_dsa_master_to_slave.pub >> ~/.ssh/authorized_keys

Still when I try to SSH without proving the pem file, I get

Permission Denied (Public Key)

Am I missing out something?


Solution 1:

You need to ssh-add ~/aws-key.pem before you ssh to the ubuntu host. This adds your aws-key to your ssh agent. See: linux.die.net/man/1/ssh-add

Solution 2:

Yes, one approach is to:

  • create a new key pair with ssh-keygen
  • add the private key to ssh-agent using ssh-add id_rsa
  • add generated id_rsa.pub with ssh-copy-id user@host
  • in case ssh-copy-id does not work,

cat ~/.ssh/id_rsa.pub | ssh -i ~/.ssh/my.key [email protected] "cat >> ~/.ssh/authorized_keys"

Another (bad) approach is to upload to all ec2 instances the aws-key.pem key used during the creation of instances. On each instance, we can add this aws-key.pem using ssh-add aws-key.pem would enable passwordless ssh between all instances (including localhost). But in this case, every time we log into ec2 we have to repeat this step.

If we need passwordless ssh b/w master and all slaves (i.e., no passwordless ssh between slaves), then we can just ssh-add aws-key.pem on master.

A connected issue is when we are trying to setup passwordless ssh between ec2 instances for setting up a HADOOP cluster. From here, the master only accesses the slaves via ssh. Slaves do not interact with each other. Another option from the docs is:

Note, the master machine accesses each of the worker machines via ssh. By default, ssh is run in parallel and requires password-less (using a private key) access to be setup. If you do not have a password-less setup, you can set the environment variable SPARK_SSH_FOREGROUND and serially provide a password for each worker.