Admin User

How to config ssh nopass and nopass sudo?

Pigsty requires an administrative user that can SSH password-free to other nodes from the meta-node and execute the sudo command password-free.

Admin user

Pigsty recommends that the creation of the administrative user, privilege configuration and key distribution be done during the Provisioning phase of the VM as part of the delivered content.

The default user for sandbox environments, vagrant, is already configured with password-free login and password-free sudo by default, and you can use vagrant to login to all database nodes from the host or sandbox meta-node. For production environments, i.e. when the machine is delivered, there should already be such a user configured with unencrypted remote SSH login and unencrypted sudo.

If not, the user will need to create it himself. If the user has root privileges, they can also perform the initialization directly with root identity, and Pigsty can complete the creation of the administrative user during the initialization process. The relevant configuration parameters include.

node_admin_setup

Whether to create an admin user on each node (password-free sudo with ssh), which will be created by default.

Pigsty by default creates an admin user named admin (uid=88) that can SSH-free access to other nodes in the environment from the meta-node and perform password-free sudo.

node_admin_uid

The uid of the administrator user, default is 88

node_admin_username

Name of the admin user, default is admin

node_admin_ssh_exchange

Does the SSH key for the admin user get exchanged between the machines currently executing the command?

The exchange is performed by default, so that the administrator can quickly jump between machines.

node_admin_pks

Key written to admin ~/.ssh/authorized_keys

Users with the corresponding private keys can log in as administrators.

By default, Pigsty will create the administrator user admin with uid=88 and exchange that user’s key cluster-wide.

node_admin_pks given in the public key will be installed to the authorized_keys of the admin account, and the user with the corresponding private key can directly log in remotely without encryption.

Configure SSH nopass access

On the meta node, assume the username of the user executing the command is vagrant.

Generate the key

Execute the following command as user vagrant to generate a public-private key pair for vagrant to use for login.

ssh-keygegn
  • Default public key: ~/.ssh/id_rsa.pub
  • Default private key: ~/.ssh/id_rsa

Install the key

Add the public key to the corresponding user on the machine you need to log in to: /home/vagrant/.ssh/authorized_keys

If you already have direct password access to the remote machine, you can copy the public key directly via ssh-copy-id.

# Enter the password to complete the public key copy
ssh-copy-id <ip>

# Embed the password directly into the command to avoid interactive password entry
sshpass -p <password> ssh-copy-id <ip>

Then you can log in to the remote machine via password-free SSH for that user.

Configure nopass SUDO

Assuming the username is vagrant, add the following entry via the visudo command, or by creating the /etc/sudoers.d/vagrant file.

%vagrant ALL=(ALL) NOPASSWD: ALL

Then the vagrant user can execute all commands without sudo

Last modified 2021-03-28: update en docs (f994b54)