NetScaler裝置管理一般是通過ssh –l
nsroot@ip然後輸入密碼進行登陸管理的。但是應用釋出的時候需要使用腳本進行自動登入,是以需要使用ssh的public-key進行登入而非密碼登陸。是以需要按照如下步驟進行操作:
摘自:
http://support.citrix.com/proddocs/index.jsp?lang=en&topic=/netscaler/ns-initial-config-using-ssh-tsk.html
Accessing a NetScaler by Using SSH keys and
No Password
Updated: 2009-10-09
In a setup with a large number of NetScaler
appliances, you will have to store and look up passwords for each appliance
before you can log on to the appliance. To avoid this, you can set up secure
shell access with public key encryption on the appliance so that you are not
prompted for the password. To do this, you will need to first generate the
public/private key on the client and then copy the public key to the NetScaler.
1, To
generate the public/private key on a Linux client
Change directory to /root/.ssh
Generate the public and private key pair.
At the prompt, type:
[root@localhost .ssh]# ssh-keygen -t rsa
Press Enter when prompted for a file name
to save the key.
Press Enter when prompted for a passphrase.
2, To
copy the public key (id_rsa.pub) to the remote NetScaler
Log on to the remote NetScaler from the
Linux client.
Change directory to /nsconfig/ssh. At the
prompt, type:
cd /nsconfig/ssh
Change to binary mode and copy the public
key to this directory. At the prompt, type:
bin
put id_rsa.pub
3, To
set up secure shell access with public key encryption on the NetScaler
Open a connection to the NetScaler using a
telnet/SSH client, such as PuTTY.
Log on to the NetScaler with the
administrator credentials.
At the shell prompt, change the directory
to /nsconfig/ssh.
Append the public key to the
authorized_keys file and change permissions. At the prompt, type:
cat id_rsa.pub >> authorized_keys
chmod 755 authorized_keys
Remove the public key (optional). At the
rm id_rsa.pub
4, check the permissions as
bellow:
If you have stored the keys in the /nsconfig/ssh directory which is a symbolic link to the /flash/ssh
directory and the keys do not appear to be working, then check the directory
permissions for the /flash directory. An erroneous build may have caused the
/flash directory to have full read-write-execute permissions (777). The NetScaler sshd server does not use these keys if the
containing folder has write permission to all users. So you need to
check the permission of the /flash and /flash/nsconfig to be 755. Or you have
to change them to be 755, using chmod 755
/flash and chmod 755 /flash/nsconfig.
---此部分摘自于http://support.citrix.com/article/ctx114020
5, To
verify secure shell access with public key encryption on the NetScaler
On the client, verify that you can connect
to the remote NetScaler by using SSH, without entering the password. At the
prompt, type:
ssh –i rsa nsroot@NSIPaddress
You should not be prompted for a password.
Example
補充:
NetScaler的9.1之前版本的ssh認證authorized_keys是儲存在/root/.ssh目錄的,由于該目錄在裝置重新開機後會丢失,是以需要在/nsconfig目錄下新編輯一個檔案rc.netscaler用于NetScaler啟動後自動運作,類似于/etc/rc.local。NetScaler啟動後不會執行/etc/rc.local而是執行/nsconfig/rc.netscaler。檔案内容如下:
root@ns # cat rc.netscaler #!/bin/sh mkdir -p /root/.ssh echo 'ssh-rsa h9u+OwOYJaCnWor9G*******= admin@host1(此為在client生成的public-key)' > /root/.ssh/authorized_keys chmod -R 700 /root/.ssh chmod 600 /root/.ssh/* |
而9.1之後的版本(包括9.1)的ssh認證authorized_keys是儲存在/nsconfig/ssh目錄的。也許是考慮到/root/.ssh目錄重新開機後會消失的緣故,是以修改了一下。