這篇來討論設定檔 cloud-config.yaml 關於 ssh_authorized_keys 的設定.其他設定請參考 https://benjr.tw/96511
#cloud-config hostname: coreos1 # include one or more SSH public keys ssh_authorized_keys: - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC5wZYPD/mBs+9O9CrUxdg9kpOus24VrMuNncdt4BRc4iF5npV90HYe5j/y3IG6+2MRbAb2edyf/FUcaJHN/V+i123456yuqyAT2rv9T0eB2+wpmYCUQzqZscJP2uLK8jMhezKWS0l7X5CgJf+d17VooS6CADR9MyTbku3upKp5yEnsCfB+pBLGdrqCUTnGHPfJcLTBIvuMriz/kae0azxcderfbw7YWR8oKdWjKYKlznnBmH6VYFcgv/jSXbRbdZjKNSXIm2xIj6TIIJmo6sWhptcGohi467ODyrzCDioXD1MsYx6ImTMcY5mzL2RDePAW7CM4gWIMaIxDeL5e10SX ben@appledeAir
ssh-rsa (ssh_authorized_keys 預設的使用者為 core ) 這個東西,問題是要怎麼產生呢!!
ssh_authorized_keys
安裝完的 CoreOS 預設使用者 core 沒有設定密碼,也沒有辦法登入到系統,透過設定檔可以設定可以透過 SSH (Secure SHell) 的方式來登入,並使用 RSA Asymmetric Encryption (非對稱式加密) 來做身份確認,主要透過 傳送端 產生兩把鑰匙 (公與私 Public / Private Key) 來確認身份,方法如下.
- 傳送端 – 產生兩把鑰匙 (Public/Private Key), Public Key(P) 會發佈給其他人來使用,而 Private Key (S) 則自己保存.傳送端使用自己產生的 Private key (S) 將資訊 M 來加密, 並將經過加密的資料 S(M) 傳送出去.
- 接收端 (CoreOS) – 接收端就可以用傳送者的公鑰來解密 M=P(S(M)) ;這種方式的接收者可以確定傳送者.
主要就是在 SSH Client 端產生一把公鑰並把這公鑰寫在安裝設定檔,存在 CoreOS 端以便做身份驗證.下面針對常見的 SSH Client 來產生這公鑰.
- Mac OS 10 / Linux
首先,先在 MAC OS 上面建立 Public Key 跟 Private Key 這兩把鑰匙,利用的指令為 ssh-keygen 這個命令 (Linux 環境下步驟也相同):appledeAir:~ ben$ ssh-keygen -t rsa Generating public/private rsa key pair. Enter file in which to save the key (/Users/ben/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /Users/ben/.ssh/id_rsa. Your public key has been saved in /Users/ben/.ssh/id_rsa.pub. The key fingerprint is: SHA256:9yvVc6q/uROmYtY39PcWNIhuADHa6TMsrf6QpmFoUh4 ben@appledeAir The key's randomart image is: +---[RSA 2048]----+ | o. | | o.o | | . o. . . | | + . . . o | | E . *S + .. .| | o.. + o. +. *..| |.o.o = .o.+ *.| |o . = . = o.=.+| | . ... o oo+=*+| +----[SHA256]-----+ appledeAir:~ ben$ ls .ssh/* .ssh/id_rsa .ssh/id_rsa.pub .ssh/known_hosts
上面產生的 key 為 RSA ,產生的 key 存在 $HOME/.ssh 中 (id_rsa 為私鑰, id_rsa.pub 為公鑰),passphrase 主要是保護私鑰 (你需要一串密碼來解開私鑰),也可以不設.
這個 id_rsa.pub 檔案內容就是我們要填寫在 cloud-config.yaml 設定檔的 ssh-authorized-keys,但問題來了編寫好的 cloud-config.yaml 要怎麼傳送到 CoreOS 安裝環境裡面,可以透過 SSH 的 SCP 方式,不過要先幫 CoreOS 的使用者 core 設定密碼.
core@localhost ~ $ sudo passwd core Enter new UNIX password: Retype new UNIX password: passwd: password updated successfully core@localhost ~ $
接下來透過 scp 就可傳送到 CoreOS 了.
appledeAir:~ ben$ scp Desktop/cloud-config.yaml core@172.16.15.233:/home/core/ Password: cloud-config.yaml 100% 950 356.8KB/s 00:00 appledeAir:~ ben$ ssh core@172.16.15.233 Password: Last login: Sun Jan 8 13:24:15 UTC 2017 from 172.16.15.1 on ssh CoreOS stable (1185.3.0) Update Strategy: No Reboots core@localhost ~ $
- Windows 7
在 Windows 下面要怎麼產生 公鑰 與 私鑰,可以透過 PuttyGen – http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html
透過 Generate 來產生金鑰,公鑰 會直接顯示在上方,可以直接複製到 cloud-config.yaml 設定檔裡面,私鑰就要儲存起來 Save private Key.
之後 Putty SSH 就可以透過這一把私鑰來登入 CoreOS.
CoreOS 光碟開機後就進入文字模式,直接透過指令 #coreos-install 來安裝.這次有透過 -c 來指定 cloud-init config .
core@localhost ~ $ # sudo coreos-install -d /dev/sda -C stable -c ~/cloud-config.yaml 2016/12/21 09:41:12 Checking availability of "local-file" 2016/12/21 09:41:12 Fetching user-data from datasource of type "local-file" Downloading the signature for https://stable.release.core-os.net/amd64-usr/1185.3.0/coreos_production_image.bin.bz2... 2016-12-21 09:41:14 URL:https://stable.release.core-os.net/amd64-usr/1185.3.0/coreos_production_image.bin.bz2.sig [543/543] -> "/tmp/coreos-install.fmCj9mKD5k/coreos_production_image.bin.bz2.sig" [1] Downloading, writing and verifying coreos_production_image.bin.bz2... ... Success! CoreOS stable 1185.3.0 is installed on /dev/sda core@localhost ~ $ sudo reboot
使用的參數:
-d ( DEVICE ) – Install CoreOS to the given device.
-C ( CHANNEL ) – Release channel to use (e.g. stable, beta)
-c ( CLOUD ) – Insert a cloud-init config to be executed on boot.
重開機後就可以透過 SSH 來連線.
安裝完後 CoreOS 當初所使用的 cloud-config 設定檔.
core@coreos1 ~ $ sudo cat /var/lib/coreos-install/user_data #cloud-config hostname: coreos1 # include one or more SSH public keys ssh_authorized_keys: - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC5wZYPD/mBs+9O9CrUxdg9kpOus24VrMuNncdt4BRc4iF5npV90HYe5j/y3IG6+2MRbAb2edyf/FUcaJHN/V+i123456yuqyAT2rv9T0eB2+wpmYCUQzqZscJP2uLK8jMhezKWS0l7X5CgJf+d17VooS6CADR9MyTbku3upKp5yEnsCfB+pBLGdrqCUTnGHPfJcLTBIvuMriz/kae0azxcderfbw7YWR8oKdWjKYKlznnBmH6VYFcgv/jSXbRbdZjKNSXIm2xIj6TIIJmo6sWhptcGohi467ODyrzCDioXD1MsYx6ImTMcY5mzL2RDePAW7CM4gWIMaIxDeL5e10SX ben@appledeAir
SSH Client – Mac OS 10,不需要密碼,只需要 passphrase (如果你在產生金鑰的時候有設定)
appledeAir:~ ben$ ssh core@172.16.15.233 The authenticity of host '172.16.15.233 (172.16.15.233)' can't be established. ECDSA key fingerprint is SHA256:oyghKPqtDfLxJt3D2csbbDk6vg2rSQmVW4wjTsHXAks. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '172.16.15.233' (ECDSA) to the list of known hosts. Enter passphrase for key '/Users/ben/.ssh/id_rsa': CoreOS stable (1185.3.0)
順便可以看一下 /home/core/.ssh/authorized_keys 內容,的確跟當初設定的一樣.
core@coreos1 ~ $ cat .ssh/authorized_keys # auto-generated by /usr/bin/update-ssh-keys ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC5wZYPD/mBs+9O9CrUxdg9kpOus24VrMuNncdt4BRc4iF5npV90HYe5j/y3IG6+2MRbAb2edyf/FUcaJHN/V+i123456yuqyAT2rv9T0eB2+wpmYCUQzqZscJP2uLK8jMhezKWS0l7X5CgJf+d17VooS6CADR9MyTbku3upKp5yEnsCfB+pBLGdrqCUTnGHPfJcLTBIvuMriz/kae0azxcderfbw7YWR8oKdWjKYKlznnBmH6VYFcgv/jSXbRbdZjKNSXIm2xIj6TIIJmo6sWhptcGohi467ODyrzCDioXD1MsYx6ImTMcY5mzL2RDePAW7CM4gWIMaIxDeL5e10SX ben@appledeAir
登入後就可以設定使用者 core 的密碼
core@coreos1 ~ $ sudo passwd core Enter new UNIX password: Retype new UNIX password: passwd: password updated successfully
root 也沒有設定密碼,這邊一併來設定.
core@coreos1 ~ $ sudo passwd Enter new UNIX password: Retype new UNIX password: passwd: password updated successfully
不過這個 CoreOS 並沒有設定什麼服務,後面會介紹相關的服務 https://benjr.tw/96511 .
6 thoughts on “安裝 CoreOS – 設定 ssh_authorized_keys”