More secure Bastion Machine login method

Source: Internet
Author: User

Hi,all

Current Status:

each colleague's private key and public key are stored on the bastion server, and if Bastion is compromised, the security of the Bastion backend server is gone. Based on this consideration, the public and private keys are now stored in their own local, bastion and bastion back-end servers only save the public key, so that even if the bastion is compromised, the bastion server does not have security threats , such as:

650) this.width=650; "Src=" Http://s3.51cto.com/wyfs02/M00/8B/03/wKiom1hBMsegdm7IAABpNyLkjIo282.jpg-wh_500x0-wm_3 -wmp_4-s_289639570.jpg "title=" 1.jpg "alt=" Wkiom1hbmsegdm7iaabpnylkjio282.jpg-wh_50 "/>

Let's take SecureCRT as an example:

Fortress Machine: 192.168.85.128

Back-end server: 192.168.85.130 (this server only allows bastion machines to log on)

1. SECURECRT generate public key private key

First "Tools" - "Create Public key"

650) this.width=650; "Src=" Http://s5.51cto.com/wyfs02/M01/8A/FF/wKioL1hBMv_SkGFxAAHDMR8Z8Rk948.jpg-wh_500x0-wm_3 -wmp_4-s_2128464134.jpg "style=" Float:none; "title=" 2.jpg "alt=" Wkiol1hbmv_skgfxaahdmr8z8rk948.jpg-wh_50 "/>

650) this.width=650; "Src=" Http://s5.51cto.com/wyfs02/M02/8B/03/wKiom1hBMwCCuP6IAAGMJRQqujs451.jpg-wh_500x0-wm_3 -wmp_4-s_190664806.jpg "style=" Float:none; "title=" 3.jpg "alt=" Wkiom1hbmwccup6iaagmjrqqujs451.jpg-wh_50 "/>

650) this.width=650; "Src=" Http://s3.51cto.com/wyfs02/M02/8A/FF/wKioL1hBMwHCxJ-9AAHmqr3arVo922.jpg-wh_500x0-wm_3 -wmp_4-s_4031747269.jpg "style=" Float:none; "title=" 4.jpg "alt=" Wkiol1hbmwhcxj-9aahmqr3arvo922.jpg-wh_50 "/>

650) this.width=650; "Src=" Http://s3.51cto.com/wyfs02/M00/8B/03/wKiom1hBMwHhIHHAAAHLHnqVLOU069.jpg-wh_500x0-wm_3 -wmp_4-s_602161362.jpg "style=" Float:none; "title=" 5.jpg "alt=" Wkiom1hbmwhhihhaaahlhnqvlou069.jpg-wh_50 "/>

650) this.width=650; "Src=" Http://s4.51cto.com/wyfs02/M02/8A/FF/wKioL1hBMwKDp0FVAAIZ6f4ucGg406.jpg-wh_500x0-wm_3 -wmp_4-s_3164238182.jpg "style=" Float:none; "title=" 6catchec61 (12-02-16-29-08). jpg "alt=" Wkiol1hbmwkdp0fvaaiz6f4ucgg406.jpg-wh_50 "/>

2, Configuration Ssh-agent

650) this.width=650; "Src=" Http://s1.51cto.com/wyfs02/M00/8A/FF/wKioL1hBMx3Tstc6AAK92t-DGb4800.jpg-wh_500x0-wm_3 -wmp_4-s_130489570.jpg "title=" 7catchfea3 (12-02-16-29-08). jpg "alt=" wkiol1hbmx3tstc6aak92t-dgb4800.jpg-wh_50 "/ >

3. Upload the public key to the bastion and back-end servers and import to Authorized_keys

ssh-keygen-i-F identity.pub >> Authorized_keys

4, Login Springboard machine

Set the private key to log on to the fortress machine, when the board does not have your private key, the private key is stored locally,

650) this.width=650; "Src=" Http://s3.51cto.com/wyfs02/M02/8A/FF/wKioL1hBM22wT8E4AAOGcdhoyoM347.jpg-wh_500x0-wm_3 -wmp_4-s_3562932681.jpg "style=" Float:none; "title=" 8catchd034 (12-02-16-29-08). jpg "alt=" Wkiol1hbm22wt8e4aaogcdhoyom347.jpg-wh_50 "/>

650) this.width=650; "Src=" Http://s2.51cto.com/wyfs02/M00/8A/FF/wKioL1hBM3HyBQxyAAXYFIhwqUc860.jpg-wh_500x0-wm_3 -wmp_4-s_272800755.jpg "style=" Float:none; "title=" 9catch2fe6 (12-02-16-29-08). jpg "alt=" Wkiol1hbm3hybqxyaaxyfihwquc860.jpg-wh_50 "/>


5, through the Springboard machine login to the back end of the 192.168.85.130

650) this.width=650; "Src=" Http://s4.51cto.com/wyfs02/M01/8A/FF/wKioL1hBM4fQp-amAAwmnM1EgTo953.jpg-wh_500x0-wm_3 -wmp_4-s_2493878980.jpg "title=" 10catcha5d5 (12-02-16-29-08). jpg "alt=" wkiol1hbm4fqp-amaawmnm1egto953.jpg-wh_50 "/ >

I use the securecrt Use other clients can refer to the classmate:

Https://www.vandyke.com/support/tips/agent_forwarding.html



Another is that you have a Linux server, you need to put a file in the/etc/profile.d/directory, the file has been saved in the attachment.


This article is from the "Freeterman" blog, make sure to keep this source http://myunix.blog.51cto.com/191254/1878926

More secure Bastion Machine login method

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.