Hi,all
Current Status:
each colleague's private key and public key are stored on the bastion server, and if Bastion is compromised, the security of the Bastion backend server is gone. Based on this consideration, the public and private keys are now stored in their own local, bastion and bastion back-end servers only save the public key, so that even if the bastion is compromised, the bastion server does not have security threats , such as:
650) this.width=650; "Src=" Http://s3.51cto.com/wyfs02/M00/8B/03/wKiom1hBMsegdm7IAABpNyLkjIo282.jpg-wh_500x0-wm_3 -wmp_4-s_289639570.jpg "title=" 1.jpg "alt=" Wkiom1hbmsegdm7iaabpnylkjio282.jpg-wh_50 "/>
Let's take SecureCRT as an example:
Fortress Machine: 192.168.85.128
Back-end server: 192.168.85.130 (this server only allows bastion machines to log on)
1. SECURECRT generate public key private key
First "Tools" - "Create Public key"
650) this.width=650; "Src=" Http://s5.51cto.com/wyfs02/M01/8A/FF/wKioL1hBMv_SkGFxAAHDMR8Z8Rk948.jpg-wh_500x0-wm_3 -wmp_4-s_2128464134.jpg "style=" Float:none; "title=" 2.jpg "alt=" Wkiol1hbmv_skgfxaahdmr8z8rk948.jpg-wh_50 "/>
650) this.width=650; "Src=" Http://s5.51cto.com/wyfs02/M02/8B/03/wKiom1hBMwCCuP6IAAGMJRQqujs451.jpg-wh_500x0-wm_3 -wmp_4-s_190664806.jpg "style=" Float:none; "title=" 3.jpg "alt=" Wkiom1hbmwccup6iaagmjrqqujs451.jpg-wh_50 "/>
650) this.width=650; "Src=" Http://s3.51cto.com/wyfs02/M02/8A/FF/wKioL1hBMwHCxJ-9AAHmqr3arVo922.jpg-wh_500x0-wm_3 -wmp_4-s_4031747269.jpg "style=" Float:none; "title=" 4.jpg "alt=" Wkiol1hbmwhcxj-9aahmqr3arvo922.jpg-wh_50 "/>
650) this.width=650; "Src=" Http://s3.51cto.com/wyfs02/M00/8B/03/wKiom1hBMwHhIHHAAAHLHnqVLOU069.jpg-wh_500x0-wm_3 -wmp_4-s_602161362.jpg "style=" Float:none; "title=" 5.jpg "alt=" Wkiom1hbmwhhihhaaahlhnqvlou069.jpg-wh_50 "/>
650) this.width=650; "Src=" Http://s4.51cto.com/wyfs02/M02/8A/FF/wKioL1hBMwKDp0FVAAIZ6f4ucGg406.jpg-wh_500x0-wm_3 -wmp_4-s_3164238182.jpg "style=" Float:none; "title=" 6catchec61 (12-02-16-29-08). jpg "alt=" Wkiol1hbmwkdp0fvaaiz6f4ucgg406.jpg-wh_50 "/>
2, Configuration Ssh-agent
650) this.width=650; "Src=" Http://s1.51cto.com/wyfs02/M00/8A/FF/wKioL1hBMx3Tstc6AAK92t-DGb4800.jpg-wh_500x0-wm_3 -wmp_4-s_130489570.jpg "title=" 7catchfea3 (12-02-16-29-08). jpg "alt=" wkiol1hbmx3tstc6aak92t-dgb4800.jpg-wh_50 "/ >
3. Upload the public key to the bastion and back-end servers and import to Authorized_keys
ssh-keygen-i-F identity.pub >> Authorized_keys
4, Login Springboard machine
Set the private key to log on to the fortress machine, when the board does not have your private key, the private key is stored locally,
650) this.width=650; "Src=" Http://s3.51cto.com/wyfs02/M02/8A/FF/wKioL1hBM22wT8E4AAOGcdhoyoM347.jpg-wh_500x0-wm_3 -wmp_4-s_3562932681.jpg "style=" Float:none; "title=" 8catchd034 (12-02-16-29-08). jpg "alt=" Wkiol1hbm22wt8e4aaogcdhoyom347.jpg-wh_50 "/>
650) this.width=650; "Src=" Http://s2.51cto.com/wyfs02/M00/8A/FF/wKioL1hBM3HyBQxyAAXYFIhwqUc860.jpg-wh_500x0-wm_3 -wmp_4-s_272800755.jpg "style=" Float:none; "title=" 9catch2fe6 (12-02-16-29-08). jpg "alt=" Wkiol1hbm3hybqxyaaxyfihwquc860.jpg-wh_50 "/>
5, through the Springboard machine login to the back end of the 192.168.85.130
650) this.width=650; "Src=" Http://s4.51cto.com/wyfs02/M01/8A/FF/wKioL1hBM4fQp-amAAwmnM1EgTo953.jpg-wh_500x0-wm_3 -wmp_4-s_2493878980.jpg "title=" 10catcha5d5 (12-02-16-29-08). jpg "alt=" wkiol1hbm4fqp-amaawmnm1egto953.jpg-wh_50 "/ >
I use the securecrt Use other clients can refer to the classmate:
Https://www.vandyke.com/support/tips/agent_forwarding.html
Another is that you have a Linux server, you need to put a file in the/etc/profile.d/directory, the file has been saved in the attachment.
This article is from the "Freeterman" blog, make sure to keep this source http://myunix.blog.51cto.com/191254/1878926
More secure Bastion Machine login method