Runbook for establishing passwordless SSH from a management host (trips-testlab) to an IBM HMC (drhmc01) for unattended monitoring and automation.
Verify the following before commencing:
• Network reachability on TCP/22 from 192.168.131.135 to 192.168.131.150.
• hscroot password available — required once for the initial key upload.
• Root access on trips-testlab (or whichever local user will run the automation).
• An SCP/PuTTY session to the HMC for paste operations.
The ~/.ssh directory must exist with strict permissions before key generation.
# mkdir -p ~/.ssh # chmod 700 ~/.ssh
A dedicated key isolated from any pre-existing keys. The empty passphrase is required for unattended cron execution; key security is enforced via filesystem permissions.
# ssh-keygen -t rsa -b 4096 \ -C "hmc_monitor@trips-testlab" \ -f ~/.ssh/hmc_monitor_rsa \ -N ""
ls -l ~/.ssh/hmc_monitor_rsa* — should show two files: private key (mode 600) and public key (.pub, mode 644).
~/.ssh/config
Run on trips-testlab
This allows the script to reference drhmc01 by its short alias and have SSH automatically apply the correct user, IP, key file, and connection options.
# cat >> ~/.ssh/config <<'EOF' Host drhmc01 HostName 192.168.131.150 User hscroot IdentityFile ~/.ssh/hmc_monitor_rsa IdentitiesOnly yes StrictHostKeyChecking accept-new ConnectTimeout 10 BatchMode yes EOF # chmod 600 ~/.ssh/config
Print the contents of the public key so it can be copied. Select the entire output as a single line — it must not contain any line breaks when transferred.
# cat ~/.ssh/hmc_monitor_rsa.pub
Expected format (will be a single long line):
ssh-rsa AAAAB3NzaC1yc2EAAA...(very long string)... hmc_monitor@trips-testlab
Authenticate with the hscroot password one final time to register the key.
# ssh hscroot@192.168.131.150
ssh-copy-id's mechanism for appending to authorized_keys. The HMC-native mkauthkeys command must be used instead.
From the HMC prompt, paste the full public key as the argument to mkauthkeys -a. Wrap it in double quotes so the comma and trailing comment are preserved.
$ mkauthkeys -a "ssh-rsa AAAAB3Nza...full_key... hmc_monitor@trips-testlab"
Replace the example string above with the actual key copied in step 3.1.
mkauthkeys --ls — your key should appear in the list. Inspect the comment field at the end (hmc_monitor@trips-testlab) to confirm the correct key was added.
$ exit
This single command exercises the full chain: SSH config alias resolution → key selection → HMC authentication → remote command execution.
# ssh drhmc01 lshmc -V
For verbose output to diagnose the auth flow:
# ssh -vvv drhmc01 lshmc -V 2>&1 | grep -E "(Offering|Authentication|denied|accept)"
| Symptom | Likely Cause | Resolution |
|---|---|---|
| Prompts for password despite key being present | Key not registered on HMC, or wrong key being offered | Re-run mkauthkeys --ls on HMC; ensure key matches ~/.ssh/hmc_monitor_rsa.pub on collector |
| Permission denied (publickey) | Permissions on private key, ~/.ssh, or ~/.ssh/config are too open | chmod 700 ~/.ssh; chmod 600 ~/.ssh/hmc_monitor_rsa ~/.ssh/config |
| Connection times out | Firewall blocking TCP/22 or HMC unreachable | Test reachability: nc -zv 192.168.131.150 22 from trips-testlab |
| Host key verification failed | HMC was reinstalled / key changed | ssh-keygen -R 192.168.131.150 ; ssh-keygen -R drhmc01 then retry |
| Pasted key shows as multiple lines on HMC | Terminal wrapping during paste | Use mkauthkeys --rm to remove malformed entry, then re-paste with quotes ensuring single line |
mkauthkeys: command not found |
Not on the HMC restricted shell — likely shell escape or wrong host | Confirm prompt shows hscroot@drhmc01; reconnect if necessary |
From an interactive hscroot session on the HMC:
$ mkauthkeys --ls $ mkauthkeys --rm "ssh-rsa AAAA...full_key... hmc_monitor@trips-testlab"
# rm -i ~/.ssh/hmc_monitor_rsa ~/.ssh/hmc_monitor_rsa.pub
Optionally remove the alias block from ~/.ssh/config if the host is being decommissioned.