SSH with RSA keys for MPI cluster

[chris66]

Hi folks, hopefully this is posting in the right forum.
I have several RPi's (11 = Zero - 4B models) that I can use a menu based set of setup scripts on (run as root for installs etc. using latest Raspian-Lite image) and most of it works. I can configure hardware per device (camera, GPIO hats etc.) and local installs of OpenMPI with minimal user input, but I'm struggling with setting up RSA shared keys. I can do it with lots of CLI per device during setup, but I'm trying to develop it for educational use, so some scripted commands would be very useful.
Cheers,
Chris^^

[epoch1970]

What you expect of said keys is a little unclear but I assume you need something different from the usual per user id_rsa, id_rsa.pub.
Perhaps using an intermediate CA would help. This is one of the many write-ups you can find floating around.

[swampdog]

You probably need to elaborate. Note though, it is possible to use the same set of keys all over the place. Typically this is one of those "d'Oh!" moments when someone clones and ships a preconfigured machine and *hasn't* cleared the keys but can be used to good effect if thought out.

[tommylovell]

This post is a little over a month old, but I'll toss my 2cents in.

I don't think that there is a way around having to supply credentials at east once.

I have a private Evernote article I reference when I have a new machine that has this command for each system that I maintain:

Code: Select all

ssh-copy-id -i .ssh/id_rsa.pub pi@raspberrypi40

(I did a 'ssh-keygen -t rsa' years ago, so the key exists.)

In addition to adding the system to my router to make sure that DHCP assigns the same IP everytime, I have an /etc/hosts pre-populated with a large number of Pi's (that don't exist yet...).

With the 'ssh-copy-id' command issued from the "master" system to the target Pi, you then have to supply that Pi account's password at least once. Sorry.

If you have many accounts on many systems, you might be able to automate this with 'expect', or possibly with Ansible. I'm too lazy to find out.

I use Ansible to update all of the target Pies once I put the shared key in place manually. There is a small learning curve to using Ansible, but it is well worth it in the end (vs writing shell scripts to maintain my systems).

[swampdog]

This post is a little over a month old, but I'll toss my 2cents in.

I don't think that there is a way around having to supply credentials at east once.

Not on a live system (although sshpass might work if you pass some options to scp so it doesn't ask questions). If you're writing the image to go on the sdcard it can be done. You mount the sdcard after writing it and write the keys directly, updating "authorized_keys" and "known_hosts" accordingly. I didn't mention it to the OP because it would not be reliable unless host names and ip addresses remain unchanged.