SSH setup is a pre-requisite for setting up GlassFish clusters across multiple machines. SSH provides confidentiality and security for data exchanged between DAS and remote host(s) through the use of public key cryptography. One of the authentication mechanisms in SSH is the public key authentication which allows for password-less login from DAS to instance host(s). The main benefits of public key authentication are:
- Public keys cannot be easily brute forced
- The same private key (with passphrase) can be used to access multiple systems: no need to remember many passwords
Setting up public key access requires certain manual steps. However, this short coming can be overcome in GlassFish 3.1 by using the setup-ssh command. The primary goal of the SSH key setup command is to provide a simple and quick way to setup SSH connectivity between DAS and instance hosts. The key features of the command setup-ssh are:
- Automatic key pair generation
- Automatic key distribution to remote node(s)
- Silent mode setup
- Platform independent
Distributing the public key means installing the public key in $HOME/.ssh/authorized_keys file on the remote host. The key is installed on the remote host (one time) where it is used for subsequent remote access by the holder of the private key (i.e DAS user)
SSH setup doesn't store any configuration information in domain.xml. It is a local command with the following usage:
Apart from accepting the above mentioned SSH credentials, the command accepts multiple operands to setup SSH hosts in one go. User also needs to provide the SSH password to login for distributing the key. So, if public key authentication isn't setup, password authentication is used to distribute the public key to the remote host. Passwords are accepted either by prompting or from a password file.
In case where key pair needs to be generated, the user is first prompted for confirmation. User also has an option to generate key with passphrase for tighter security.
In silent mode, user is not prompted for any information. SSH password needs to be passed though password file and empty key passphrase is used to generate the key. This would help in performing SSH setup through scripts.
Public-key authentication uses two keys, a private key that is kept in a secure place on the local (DAS) machine and protected with a passphrase. And the public key, which is placed on all the remote hosts that DAS communicates with.
Generally, users generate the public, private key pair using the standard ssh-keygen utility and then install the public on the remote host. However, to make the this setup task easier for the user, the setup-ssh utility will automatically generate the key pair and distribute it to remote host(s). The automatic generation includes generation of a passphrase protected key for a more secure key.
The setup-ssh command will attempt to locate ssh-keygen in default locations if not found in PATH environment variable. In case of Windows, the assumption is that SSH package for cygwin is installed.
Case 1: If public key access is already configured, command fails:
Case 2: If public key is present (under $HOME/.ssh or in specified location), prompt for SSH password and copy the public key to remote host. Verify connectivity and exit.
Case 3: If --sshpublickeyfile option is specified but file is not found, exit with error.
Case 4: If --sshpublickeyfile is not specified, and key file is not present under $HOME/.ssh, ask user if key pair needs to be generated. If user says 'n', exit with a message stating SSH key setup failed.
Case 5: If key doesn't exist and user answers 'y' for key pair generation, locate ssh-keygen. Run ssh-keygen to generate key pair with/without passphrase, copy the public key to remote host, verify connectivity and exit.
ase 6: If ssh-keygen is not found or fails for some reason, ask user to generate ssh-keygen manually and re-run the command to distribute the key.
Case 7: Allow non-interactive mode for setup-ssh i.e allow for reading SSH password from password file and assume default 'n' for key pair generation. --interactive is part of asadmin common options.