Often in the work need to jump between the various Linux machines, each password input into trouble, but also unsafe. In practice, SSH logins are often used under Windows using the SecureCRT tool or the TeraTerm tool, as well as the password-free jump issues required for Hadoop cluster deployments.
SSH is divided into password login and certificate login. Consider the security factor, generally is the use of certificate login, namely: Each login without entering a password. If the password is logged in, it is vulnerable to external attacks. first, the process of certificate login:
1. The client generates the private key and public key of the certificate.
The private key is placed on the client, and the public key is uploaded to the server (remote login).
Generally for security, access to a hacker copy the client's private key, when the client generates the private key, it sets a password, and each time you log on to the SSH server, the client will enter a password to unlock the private key (if you work, you use a private key without a password, one day the server is hacked, you are jumping to the Yellow River are not clear).
2. The server adds a credit public key.
The client-generated public key is uploaded to the SSH server and added to the specified file, thus completing the configuration of the SSH certificate login.
If the client wants to log in to another SSH server through the private key, the same can be done by uploading the public key to another SSH server.
Examples of practical applications:
Create a good private key and public key (please remember to set the private key password), then the public key to the operation of the maintenance personnel, operators will register your public key, for you to open one or more server permissions, and then employees can through a private key, login to his authorized server to do system maintenance work, so, Employees are responsible for protecting his private key, if the malicious copy of others, you do not set the private key password, then, the server is all over, employees can also take a long vacation. Second, the certificate login example: environment: A via SSH login B, that is: A for the local machine, b for remote landing server
1.A machine configuration
① generate public and private keys
# ssh-keygen-t RSA (three consecutive returns, that is, the public and private keys are generated locally, no password is set)
② the public key to the B-side
# SCP Root@b ip:root/.ssh/id_rsa.pub./.ssh/id_rsa.pub (password required)
2.B machine configuration
① Create Authorized_keys2 file
# TOUCH/ROOT/.SSH/AUTHORIZED_KEYS2 (If this file is already present, skip this one)
② append public key to Authorized_keys2
# cat/root/.ssh/id_rsa.pub >>/root/.ssh/authorized_keys2 (append id_rsa.pub content to Authorized_keys2)
3.SSH Certificate Login Verification
# SSH Root@b IP (because the private key password is not set, so no password required, login successful)
third, other application scenarios:
securecrt key far connection SSH certificate login Linux
Most of the domestic use of the system is windows, and Windows has a lot of SSH client graphics work, the most popular, the most powerful is SECURECRT, so I will be alone for SECURECRT to implement SSH certificate login Linux key points, steps as follows:
1: Create the private key and public key in SECURECRT:
Main Menu-> Tool-> Create public key-> Select rsa-> Password to fill in the private key-> key length fill in 1024-> Click Complete, generate two files, default name is identity and identity.pub
2. Convert the private key and public key to OPENSSH format:
Main Menu-> tool-> Convert private key to OpenSSH format-> Select the password that just generated the private key file identity-> Enter the private key-> generate two files, designated Id_rsa, id_rsa.pub
3. Upload the public key id_rsa.pub to the SSH server, configure the server-side certificate before configuring it again.
In addition, if you previously used Windows SECURECRT certificate to log on to Linux, one day you switched to Linux, and you want to use the original private key to login to the company's server, then you can id_rsa copy down ~/.ssh/directory.
Note:
SSH is sensitive to file and directory permissions for certificates, either by setting file and directory permissions according to error prompts, or by setting the Strictmodes option to No. non-password SSH login for Hadoop deployment
Hadoop requires master to jump to each slave without a password, then master is the SSH client above, as follows:
1. On Hadoop master, a public key private key is generated, in which case the private key cannot set a password.
2. Upload the public key to the directory specified on each slave, thus completing the SSH no password jump. Four, Summary:
SSH certificate login, in the actual work is the most commonly used login method, I combined the real work of the scene popularized SSH certificate login knowledge, and according to popular Hadoop deployment and Windows under the most commonly used SECURECRT instance explained the certificate login.