More secure Bastion Machine login method

Hi,all

Current Status:

each colleague's private key and public key are stored on the bastion server, and if Bastion is compromised, the security of the Bastion backend server is gone. Based on this consideration, the public and private keys are now stored in their own local, bastion and bastion back-end servers only save the public key, so that even if the bastion is compromised, the bastion server does not have security threats , such as:

650) this.width=650; "Src=" Http://s3.51cto.com/wyfs02/M00/8B/03/wKiom1hBMsegdm7IAABpNyLkjIo282.jpg-wh_500x0-wm_3 -wmp_4-s_289639570.jpg "title=" 1.jpg "alt=" Wkiom1hbmsegdm7iaabpnylkjio282.jpg-wh_50 "/>

Let's take SecureCRT as an example:

Fortress Machine: 192.168.85.128

Back-end server: 192.168.85.130 (this server only allows bastion machines to log on)

1. SECURECRT generate public key private key

First "Tools" - "Create Public key"

650) this.width=650; "Src=" Http://s5.51cto.com/wyfs02/M01/8A/FF/wKioL1hBMv_SkGFxAAHDMR8Z8Rk948.jpg-wh_500x0-wm_3 -wmp_4-s_2128464134.jpg "style=" Float:none; "title=" 2.jpg "alt=" Wkiol1hbmv_skgfxaahdmr8z8rk948.jpg-wh_50 "/>

650) this.width=650; "Src=" Http://s5.51cto.com/wyfs02/M02/8B/03/wKiom1hBMwCCuP6IAAGMJRQqujs451.jpg-wh_500x0-wm_3 -wmp_4-s_190664806.jpg "style=" Float:none; "title=" 3.jpg "alt=" Wkiom1hbmwccup6iaagmjrqqujs451.jpg-wh_50 "/>

650) this.width=650; "Src=" Http://s3.51cto.com/wyfs02/M02/8A/FF/wKioL1hBMwHCxJ-9AAHmqr3arVo922.jpg-wh_500x0-wm_3 -wmp_4-s_4031747269.jpg "style=" Float:none; "title=" 4.jpg "alt=" Wkiol1hbmwhcxj-9aahmqr3arvo922.jpg-wh_50 "/>

650) this.width=650; "Src=" Http://s3.51cto.com/wyfs02/M00/8B/03/wKiom1hBMwHhIHHAAAHLHnqVLOU069.jpg-wh_500x0-wm_3 -wmp_4-s_602161362.jpg "style=" Float:none; "title=" 5.jpg "alt=" Wkiom1hbmwhhihhaaahlhnqvlou069.jpg-wh_50 "/>

650) this.width=650; "Src=" Http://s4.51cto.com/wyfs02/M02/8A/FF/wKioL1hBMwKDp0FVAAIZ6f4ucGg406.jpg-wh_500x0-wm_3 -wmp_4-s_3164238182.jpg "style=" Float:none; "title=" 6catchec61 (12-02-16-29-08). jpg "alt=" Wkiol1hbmwkdp0fvaaiz6f4ucgg406.jpg-wh_50 "/>

2, Configuration Ssh-agent

650) this.width=650; "Src=" Http://s1.51cto.com/wyfs02/M00/8A/FF/wKioL1hBMx3Tstc6AAK92t-DGb4800.jpg-wh_500x0-wm_3 -wmp_4-s_130489570.jpg "title=" 7catchfea3 (12-02-16-29-08). jpg "alt=" wkiol1hbmx3tstc6aak92t-dgb4800.jpg-wh_50 "/ >

3. Upload the public key to the bastion and back-end servers and import to Authorized_keys

ssh-keygen-i-F identity.pub >> Authorized_keys

4, Login Springboard machine

Set the private key to log on to the fortress machine, when the board does not have your private key, the private key is stored locally,

650) this.width=650; "Src=" Http://s3.51cto.com/wyfs02/M02/8A/FF/wKioL1hBM22wT8E4AAOGcdhoyoM347.jpg-wh_500x0-wm_3 -wmp_4-s_3562932681.jpg "style=" Float:none; "title=" 8catchd034 (12-02-16-29-08). jpg "alt=" Wkiol1hbm22wt8e4aaogcdhoyom347.jpg-wh_50 "/>

650) this.width=650; "Src=" Http://s2.51cto.com/wyfs02/M00/8A/FF/wKioL1hBM3HyBQxyAAXYFIhwqUc860.jpg-wh_500x0-wm_3 -wmp_4-s_272800755.jpg "style=" Float:none; "title=" 9catch2fe6 (12-02-16-29-08). jpg "alt=" Wkiol1hbm3hybqxyaaxyfihwquc860.jpg-wh_50 "/>

5, through the Springboard machine login to the back end of the 192.168.85.130

650) this.width=650; "Src=" Http://s4.51cto.com/wyfs02/M01/8A/FF/wKioL1hBM4fQp-amAAwmnM1EgTo953.jpg-wh_500x0-wm_3 -wmp_4-s_2493878980.jpg "title=" 10catcha5d5 (12-02-16-29-08). jpg "alt=" wkiol1hbm4fqp-amaawmnm1egto953.jpg-wh_50 "/ >

I use the securecrt Use other clients can refer to the classmate:

Https://www.vandyke.com/support/tips/agent_forwarding.html

Another is that you have a Linux server, you need to put a file in the/etc/profile.d/directory, the file has been saved in the attachment.

This article is from the "Freeterman" blog, make sure to keep this source http://myunix.blog.51cto.com/191254/1878926

More secure Bastion Machine login method