Based on the actual Linux management work, this article explains the actual process of logging on with an SSH certificate, explains the configuration principle of logging on with an SSH certificate, and solves the problem in actual work based on the configuration principle, in Windows, there are various issues about using securecrt certificates to log on, as well as non-Password redirection issues that meet hadoop cluster deployment requirements.
SSH has Password Logon and certificate logon. beginners prefer Password Logon, or even Root Account Logon. The password is 123456. However, in practice, especially for Internet companies, certificates are basically logged on. Intranet machines may log on with a password, but on the Internet machines, If you log on with a password, it is very vulnerable to attacks. In a real production environment, SSH Login is a certificate login.
Certificate logon procedure
1. the client generates a certificate: the private key and public key, and then the private key is placed on the client and properly saved. Generally, for security purposes, when a hacker accesses the client to copy the private key, A password will be set. Each time you log on to the SSH server, the client will enter the password to unbind the private key (if you are using a private key without a password at work, one day the server was hacked and you couldn't even find it when you jumped to the Yellow river ).
2. Add a public credit key to the server: Upload the Public Key generated by the client to the SSH server and add it to the specified file. In this way, the SSH certificate logon configuration is complete.
Assume that the client wants to log on to another SSH server through the private key. Similarly, you can upload the public key to another SSH server.
In real work: the employee generates the private key and Public Key (remember to set the private key and password), and then sends the public key to the O & M personnel. The O & M personnel will register your public key, activate the permissions of one or more servers for you, and then the employee can log on to the server with the permission through a private key for system maintenance. Therefore, an employee has the responsibility to protect his/her private key. If someone maliciously copies the key and you have not set the password, the server will be complete and the employee will be able to take a long vacation.
The client creates a private key and a public key.
Run commands on the Client Terminal
RSA is a password.AlgorithmAnd DSA, which is commonly used for certificate logon.
Assume that the user is blue and the ssh-keygen command will generate the two required keys in the. Ssh/directory under my home directory, which arePrivate Key (id_rsa) and Public Key (id_rsa.pub).
In addition, it is the password of the private key. If it is not a test or requires no SSH password, passphrase cannot be empty (Press enter directly). You must properly think of a password with special characters.
SSH Server Configuration
The SSH server configuration is as follows:
Vim/etc/ssh/ Sshd_config # Disable Root Account logon, not necessary, but for security, Please configure Permitrootlogin No # Whether to have sshd check the permission data of the user's home directory or related files, # This is to worry that users may set the permissions of some important files incorrectly, which may cause some problems. # For example, the user's ~. When the ssh/permission is set incorrectly, users are not allowed to log on in some special circumstances. Strictmodes No # Whether to allow users to log on to the pair key system on their own, only for version 2. # The self-made public key data is stored in. Ssh/authorized_keys in the user's home directory. Rsaauthentication yespubkeyauthentication yesauthorizedkeysfile % H/. Ssh/ Authorized_keys # If you have logged on with a certificate, disable Password Logon. Security is critical. Passwordauthentication No
After configuring the SSH server, we need to upload the client's public key to the server, and then add the client's public key to authorized_keys.
Execute commands on the client
SCP ~ /. Ssh/id_rsa.pub blue @ <ssh_server_ip> :~
Execute commands on the server
Cat id_rsa.pub >> ~ /. Ssh/authorized_keys
If you have modified the configuration of/etc/ssh/sshd_config, restart the SSH server.
/Etc/init. d/ssh restart
The client uses the private key to log on to the SSH server.
Ssh-I/blue/. Ssh/id_rsa blue @ <ssh_server_ip>
SCP-I/blue/. Ssh/id_rsa filename blue @ <ssh_server_ip>:/blue
You must specify the private key every time you run the command. This is a very tedious task. Therefore, you can add the Private Key Path to the default configuration of the SSH client.
Other application scenarios
Securecrt key remote connection SSH certificate login Linux
#In fact, the default id_rsa has already been added to the Private Key Path. This is just an example.Identityfile ~ /. Ssh/Id_rsa#If there are other private keys, you must add the paths of other private keys.Identityfile ~ /. Ssh/blue_rsa
Most people in China use Windows, while windows has a lot of SSH client graphics, the most popular and powerful is securecrt, therefore, I will briefly describe the key points for logging on to Linux using an SSH certificate for securecrt. The steps are as follows:
1. Create the private key and public key in securecrt: main Menu-> Tools-> Create public key-> select RSA-> enter the password of the private key-> set the key length to 1024-> Click Finish to generate two files, the default names are identity and identity. pub
2. convert the private key and public key to the OpenSSH format: main Menu-> Tools-> convert the private key to OpenSSH format-> select the newly generated private key file identity-> enter the password of the private key-> generate two files, specified as id_rsa, id_rsa.pub
3. Upload the Public Key id_rsa.pub to the SSH server and configure the server certificate again.
In addition, if you used the Windows securecrt certificate to log on to Linux, one day you changed to Linux and hoped to log on to the company's server with the original private key, copy id_rsa to the reverse ~ In the/. Ssh/directory, configure the SSH client as described above.
Note: SSH is sensitive to the file and directory permissions of the Certificate. Either set the file and directory permissions according to the error prompt, or set the strictmodes option to No.
Password-less SSH Login for hadoop deployment
Hadoop requires that the master node be redirected to each slave without a password, so the master is the SSH client in the preceding section. The steps are as follows:
Generate a public key and private key on the hadoop master. In this scenario, the private key cannot be set as a password.
Upload the public key to the specified directory on each slave to complete SSH password-less jump.
SSH certificate logon is the most common logon Method in actual work. I have popularized the knowledge of SSH certificate logon in combination with real work scenarios, according to the popular hadoop deployment and the most common securecrt instances in windows, the certificate logon is explained.