PingIntelligence

Creating a new SSH user and configuring user authentication

Before you can connect to the host machines, you must configure user authentication. Optionally, you can create a new user.

If you don’t want to create a new user, you can use the default user configured in the hosts file.

When you configure user authentication, you can either configure passwordless authentication for the SSH user or use a password to connect to the host machines.

The sshpass module must be installed on the RHEL host machine if you’re authenticating using a password.

Creating a new user

About this task

If you do not have a user as mentioned in the PingIntelligence automated deployment preparation section, complete the following steps on all the provisioned host machines.

Steps

  1. Create an ec2-user.

    The hosts file in the automation package has ec2-user as the default user.

    1. Optional: To create your own username, run the #useradd ec2-user command.

  2. Change the password by running the #passwd ec2-user command.

    If you’re installing PingIntelligence software as a non-sudo user, skip steps 3-5.

  3. Add the user to the wheel group by running the #usermod -aG wheel ec2-user command.

  4. Configure passwordless sudo access:

    #visudo
    %wheel ALL=(ALL) NOPASSWD: ALL
  5. Verify the /etc/ssh/sshd_config file for PubKeyAuthentication.

    Troubleshooting:

    If it is set to no, then set it to yes and restart sshd service by the #systemctl restart sshd command.

  • Passwordless authentication

  • Password-based authentication

Setting up passwordless authentication

About this task

You can set up passwordless authentication from the management machine to other machines where PingIntelligence components are installed.

Steps

  1. On the management machine, run the following command.

    The management machine is the machine from which the automated deployment script is run to deploy the various PingIntelligence software.

    # ssh-keygen -t rsa

    Result:

    This command generates the ssh-keys.

  2. Accept all the default options. Make sure that you do not set the password for the key.

  3. You have two options for configuring passwordless authentication:

    Choose from:

    • Run the ssh-copy-id command for each host machine but not the management machine:

      # ssh-copy-id pi-user@<ping-machine IPv4 address>

      For example (ping-ase):

      ssh-copy-id pi-user@192.168.11.148
    • Copy and add the ssh-keys manually:

      1. Fetch the generated key in step 1 from /home/$USER/.ssh/id_rsa.pub.

      2. Copy the key and add it to the /home/$USER/.ssh/authrorized_keys file on all the host machines where PingIntelligence components are installed.

        If configuring passwordless authentication does not succeed, contact your system administrator.

Setting up authentication using a password

Before you begin

Ensure that:

  • You’ve installed sshpass module on the management host machine.

    The management host machine is a RHEL 7.6 machine.

  • The password that you configure for the user in the hosts file must already be configured on the host machines.

About this task

You can also use password to authenticate with PingIntelligence and MongoDB host machines.

Configure the password of the host machine in the hosts file.

Steps

  • To add the password in the hosts file, edit the hosts file to configure the password in ansible_ssh_pass parameter as shown in bold in the following hosts file snippet

    # Ansible SSH user to access host machines
    ansible_ssh_user=ec2-user
    # Uncomment the ansible_ssh_pass line and configure password of ansible_ssh_user if you want to use SSH connection with password.
    # If you do not use this option, then the SSH user uses password-less authentication.
    #ansible_ssh_pass=<SSH_user_password>

Verifying SSH connectivity

Steps

  • Manually verify SSH connectivity between the management machine and the host machine by running the ssh user@remote-machine "ls" command.

Next steps

To continue your configuration, see Copying the PingIntelligence license.