SSH certificate Logon (instance details)

Preface

Based on the actual Linux management work, this article explains the actual process of logging on with an SSH certificate, explains the configuration principle of logging on with an SSH certificate, and solves the problem in actual work based on the configuration principle, in Windows, there are various issues about using securecrt certificates to log on, as well as non-Password redirection issues that meet hadoop cluster deployment requirements.

SSH has Password Logon and certificate logon. beginners prefer Password Logon, or even Root Account Logon. The password is 123456. However, in practice, especially for Internet companies, certificates are basically logged on. Intranet machines may log on with a password, but on the Internet machines, If you log on with a password, it is very vulnerable to attacks. In a real production environment, SSH Login is a certificate login.

Certificate logon procedure

1. the client generates a certificate: the private key and public key, and then the private key is placed on the client and properly saved. Generally, for security purposes, when a hacker accesses the client to copy the private key, A password will be set. Each time you log on to the SSH server, the client will enter the password to unbind the private key (if you are using a private key without a password at work, one day the server was hacked and you couldn't even find it when you jumped to the Yellow river ).

2. Add a public credit key to the server: Upload the Public Key generated by the client to the SSH server and add it to the specified file. In this way, the SSH certificate logon configuration is complete.

Assume that the client wants to log on to another SSH server through the private key. Similarly, you can upload the public key to another SSH server.

In real work: the employee generates the private key and Public Key (remember to set the private key and password), and then sends the public key to the O & M personnel. The O & M personnel will register your public key, activate the permissions of one or more servers for you, and then the employee can log on to the server with the permission through a private key for system maintenance. Therefore, an employee has the responsibility to protect his/her private key. If someone maliciously copies the key and you have not set the password, the server will be complete and the employee will be able to take a long vacation.

The client creates a private key and a public key.

Run commands on the Client Terminal

 
Ssh-keygen-T RSA
 

RSA is a password.AlgorithmAnd DSA, which is commonly used for certificate logon.

Assume that the user is blue and the ssh-keygen command will generate the two required keys in the. Ssh/directory under my home directory, which arePrivate Key (id_rsa) and Public Key (id_rsa.pub).

In addition, it is the password of the private key. If it is not a test or requires no SSH password, passphrase cannot be empty (Press enter directly). You must properly think of a password with special characters.

SSH Server Configuration

The SSH server configuration is as follows:

Vim/etc/ssh/ Sshd_config  #  Disable Root Account logon, not necessary, but for security, Please configure  Permitrootlogin No  # Whether to have sshd check the permission data of the user's home directory or related files,  #  This is to worry that users may set the permissions of some important files incorrectly, which may cause some problems.  #  For example, the user's ~. When the ssh/permission is set incorrectly, users are not allowed to log on in some special circumstances.  Strictmodes No  #  Whether to allow users to log on to the pair key system on their own, only for version 2.  #  The self-made public key data is stored in. Ssh/authorized_keys in the user's home directory.  Rsaauthentication yespubkeyauthentication yesauthorizedkeysfile % H/. Ssh/ Authorized_keys  # If you have logged on with a certificate, disable Password Logon. Security is critical. Passwordauthentication No

After configuring the SSH server, we need to upload the client's public key to the server, and then add the client's public key to authorized_keys.

Execute commands on the client

 
SCP ~ /. Ssh/id_rsa.pub blue @ <ssh_server_ip> :~
 

Execute commands on the server

 
Cat id_rsa.pub >> ~ /. Ssh/authorized_keys
 

If you have modified the configuration of/etc/ssh/sshd_config, restart the SSH server.

 
/Etc/init. d/ssh restart
 

 

The client uses the private key to log on to the SSH server.

SSH command

 
Ssh-I/blue/. Ssh/id_rsa blue @ <ssh_server_ip>
 

SCP command

 
SCP-I/blue/. Ssh/id_rsa filename blue @ <ssh_server_ip>:/blue
 

You must specify the private key every time you run the command. This is a very tedious task. Therefore, you can add the Private Key Path to the default configuration of the SSH client.

Modify/etc/ssh/ssh_config

#In fact, the default id_rsa has already been added to the Private Key Path. This is just an example.Identityfile ~ /. Ssh/Id_rsa#If there are other private keys, you must add the paths of other private keys.Identityfile ~ /. Ssh/blue_rsa
 

Other application scenarios Securecrt key remote connection SSH certificate login Linux

Most people in China use Windows, while windows has a lot of SSH client graphics, the most popular and powerful is securecrt, therefore, I will briefly describe the key points for logging on to Linux using an SSH certificate for securecrt. The steps are as follows:

1. Create the private key and public key in securecrt: main Menu-> Tools-> Create public key-> select RSA-> enter the password of the private key-> set the key length to 1024-> Click Finish to generate two files, the default names are identity and identity. pub

2. convert the private key and public key to the OpenSSH format: main Menu-> Tools-> convert the private key to OpenSSH format-> select the newly generated private key file identity-> enter the password of the private key-> generate two files, specified as id_rsa, id_rsa.pub

3. Upload the Public Key id_rsa.pub to the SSH server and configure the server certificate again.

In addition, if you used the Windows securecrt certificate to log on to Linux, one day you changed to Linux and hoped to log on to the company's server with the original private key, copy id_rsa to the reverse ~ In the/. Ssh/directory, configure the SSH client as described above.

Note: SSH is sensitive to the file and directory permissions of the Certificate. Either set the file and directory permissions according to the error prompt, or set the strictmodes option to No.

Password-less SSH Login for hadoop deployment

Hadoop requires that the master node be redirected to each slave without a password, so the master is the SSH client in the preceding section. The steps are as follows:

Generate a public key and private key on the hadoop master. In this scenario, the private key cannot be set as a password.

Upload the public key to the specified directory on each slave to complete SSH password-less jump.

Summary

SSH certificate logon is the most common logon Method in actual work. I have popularized the knowledge of SSH certificate logon in combination with real work scenarios, according to the popular hadoop deployment and the most common securecrt instances in windows, the certificate logon is explained.