Preface
This article is based on the actual Linux management work, the actual process of using SSH certificate login In the example, explain the configuration principle of SSH certificate login, based on the principle of configuration, solve the problems in actual work, using SECURECRT certificate login under Windows, And the problem of no password jumps to implement Hadoop cluster deployment requirements.
SSH password login and certificate login, beginners like to log in with a password, or even the root account login, password is 123456. But in the actual work, especially the Internet company, basically is the certificate login. Intranet machine may be logged in through a password, but the external network of the machine, if the password is logged in, very vulnerable to attack, the real production environment, SSH login is a certificate login.
Steps for certificate logon
1. The client generates the certificate: the private key and the public key, and then the private key is placed on the client, properly saved, generally for security, access to the hacker copy client's private key, the client when generating the private key, a password will be set, each time you log into the SSH server, the client will enter the password to unlock the private key ( You use a private key without a password, one day the server is black, you jump to the Yellow River are not clear.
2. The server adds a credit public key: The client-generated public key is uploaded to the SSH server and added to the specified file, so that the SSH certificate login configuration is completed.
Assuming that the client wants to log on to another SSH server via the private key, the public key can be uploaded to another SSH server.
Real work: Employees generate good private keys and public keys (always remember to set the private key password), and then send the public key to operations personnel, operations and maintenance personnel will register your public key, for you to open one or more server permissions, and then employees can through a private key, log on to his authorized server to do system maintenance work, so, Employees are responsible for protecting his private key, if someone malicious copy, you do not set the private key password, then the server is all over, employees can also put on a long vacation.
client establishes private key and public key
Run the command at the client terminal
SSH-KEYGEN-T RSA
RSA is a cryptographic algorithm, there is also a DSA, certificate login is commonly used RSA.
Assuming that the user is blue, the Ssh-keygen will be executed at the bottom of my home directory. ssh/This directory produces the two keys required, namely the private key (ID_RSA) and the public key (Id_rsa.pub).
The other is the password of the private key, if not the test, not require no password ssh, then for passphrase, can not enter the empty (direct carriage), it is appropriate to think of a special character password.
SSH server-side configuration
The SSH server is configured as follows:
vim/etc/ssh/Sshd_config#Disabling root account login is not necessary, but for security purposes, please configurepermitrootlogin no## This is to worry about the user setting some important file permissions wrong, May cause some problems. # For example, the user's ~.ssh/permission is wrong, and in some special cases users are not allowed to log in strictmodes no# whether users are allowed to log on themselves using a paired key system for version 2 only. #rsaauthentication yespubkeyauthentication yesauthorizedkeysfile%h/.ssh/authorized _keys# login with the certificate, disable password login, security matters passwordauthentication No
Configure the SSH server configuration, then we have to upload the client's public key to the server side, and then add the client's public key to the Authorized_keys
Executing commands on the client
SCP ~/.ssh/id_rsa.pub [Email protected]<ssh_server_ip>:~
Executing commands on the service side
Cat id_rsa.pub >> ~/.ssh/authorized_keys
If you have modified the configuration/etc/ssh/sshd_config, you need to restart the SSH server
/etc/init.d/ssh restart
client Login to SSH server via private key
SSH command
Ssh-i/blue/.ssh/id_rsa [Email protected]<ssh_server_ip>
SCP command
scp-i/blue/.ssh/id_rsa filename [email protected]<ssh_server_ip>:/blue
Each time the command, you have to specify the private key, is a very tedious thing, so we can add the path of the private key to the SSH client's default configuration
Modify/etc/ssh/ssh_config
# in fact, the default Id_rsa has been added to the path of the private key, here is just an example identityfile ~/.ssh/id_rsa# If there are other private keys, but also to join the path of the other private key Identityfile ~/. Ssh/blue_rsa
Other Application Scenarios
SECURECRT key key remote connection SSH certificate login Linux
Most of the domestic use of the system is windows, and Windows has a lot of SSH client graphics work, the most popular, the most powerful is SECURECRT, so I will be alone for SECURECRT to implement the SSH certificate login Linux key points, the steps are as follows:
1: Create private key and public key in SECURECRT: The main menu, tools, creating a public key, select Rsa-> fill in the key length with the secret key as 1024-> click Done, generate two files, The default name is identity and identity.pub
2. Convert private key and public key to OpenSSH format: Main menu, tools, convert private key to OpenSSH format, select the password that just generated the private key file identity-> Enter the private key, generate two files, designated as Id_rsa,id_ Rsa.pub
3. Upload the public key id_rsa.pub to the SSH server and configure the server-side certificate before configuring it again.
Also, if you have previously signed in to Linux with Windows SECURECRT certificate, one day you switched to Linux, and you want to log in to the company's server through the original private key, then you can put the Id_rsa copy down ~/.ssh/directory, configure the SSH client reference above.
Note: SSH is sensitive to the file and directory permissions of the certificate, either by setting the file and directory permissions according to the error prompt, or by setting the Strictmodes option to No
password-free SSH login for Hadoop deployments
Hadoop requires master to jump to each slave without a password, then master is the SSH client in the above steps, as follows
On Hadoop master, the public key is generated, and in this scenario, the private key cannot set the password.
Upload the public key to the specified directory on each slave, and then complete the SSH no password jump.
Summary
SSH certificate login, in the actual work is the most common sign-in method, I combine the real work scenes to popularize the knowledge of SSH certificate login, and based on popular Hadoop deployment and Windows most commonly used SECURECRT instance to explain the certificate login.
Transferred from: http://www.cnblogs.com/ggjucheng/archive/2012/08/19/2646346.html
LINUX-SSH Certificate Login (detailed example)