When you start administering a new server with PICA, one of the first things you should do is configuring SSH's RSA authentication, to be able to access that server without typing any password.
This task can be simplified by distributing the needed files using PICA. We use SSHv2, so we will assume this version of SSH. First of all, every sysadmin needs to have their private/public key pair. Let's say we are two sysadmins and our public keys are in SSHv2 format in the files sysadm1.pub and sysadm2.pub. We will add the following entries to the objects.conf file:
# SSH RSA authentication files
group RSAAuth {
# SSHv2 authorization file
file ssh_auth {
path = '/root/.ssh2/authorization';
source = "SSH/authorization.cfg";
}
file sysadm1.pub {
path = '/root/.ssh2/sysadm1.pub';
source = "SSH/sysadm1.pub";
}
file sysadm2.pub {
path = '/root/.ssh2/sysadm2.pub';
source = "SSH/sysadm2.pub";
}
}
Different versions of SSH (SSHv2 or SSHv1) can be used in different hosts and use conditionals in the previous entries. This is left as an exercise to the challenged student ;-).
We could even generate the authorization file on-the-fly with the needed Key entries with the following code snippet:
#perl
my @return;
# Get key files reading group members and skipping 'ssh_auth'
my @keys=grep(/\.pub$/,members('SSHAuth'));
foreach my $key (@keys) {
push @return,"Key $key\n";
}
# Return the array (will be printed)
@return;
#lrep
This code will generate one ``Key file.pub'' entry for each public key file we define in the group, thus allowing access to the server with that key. This is really outside the scope of this article, but is a good example of what can be done with the #perl/#lrep environment.
With this configuration, after adding the new host to the hosts.conf file you could run the command:
pica -iv +F SSHAuth +H new_server
You will then have to type the server's password only this time, because after installing this files both sysadmins will be able to access the server without typing any password (assuming they are running ssh-agent).