Accessing a NetScaler by Using SSH keys and No Password

NetScaler裝置管理一般是通過ssh –l

nsroot@ip然後輸入密碼進行登陸管理的。但是應用釋出的時候需要使用腳本進行自動登入，是以需要使用ssh的public-key進行登入而非密碼登陸。是以需要按照如下步驟進行操作：

摘自：

http://support.citrix.com/proddocs/index.jsp?lang=en&topic=/netscaler/ns-initial-config-using-ssh-tsk.html

Accessing a NetScaler by Using SSH keys and

No Password

Updated: 2009-10-09

In a setup with a large number of NetScaler

appliances, you will have to store and look up passwords for each appliance

before you can log on to the appliance. To avoid this, you can set up secure

shell access with public key encryption on the appliance so that you are not

prompted for the password. To do this, you will need to first generate the

public/private key on the client and then copy the public key to the NetScaler.

1, To

generate the public/private key on a Linux client

Change directory to /root/.ssh

Generate the public and private key pair.

At the prompt, type:

[root@localhost .ssh]# ssh-keygen -t rsa

Press Enter when prompted for a file name

to save the key.

Press Enter when prompted for a passphrase.

2, To

copy the public key (id_rsa.pub) to the remote NetScaler

Log on to the remote NetScaler from the

Linux client.

Change directory to /nsconfig/ssh. At the

prompt, type:

cd /nsconfig/ssh

Change to binary mode and copy the public

key to this directory. At the prompt, type:

bin

put id_rsa.pub

3, To

set up secure shell access with public key encryption on the NetScaler

Open a connection to the NetScaler using a

telnet/SSH client, such as PuTTY.

Log on to the NetScaler with the

administrator credentials.

At the shell prompt, change the directory

to /nsconfig/ssh.

Append the public key to the

authorized_keys file and change permissions. At the prompt, type:

cat id_rsa.pub >> authorized_keys

chmod 755 authorized_keys

Remove the public key (optional). At the

rm id_rsa.pub

4, check the permissions as

bellow:

If you have stored the keys in the /nsconfig/ssh directory  which is a symbolic link to the /flash/ssh

directory and the keys do not appear to be working, then check the directory

permissions for the /flash directory. An erroneous build may have caused the

/flash directory to have full read-write-execute permissions (777). The NetScaler sshd server does not use these keys if the

containing folder has write permission to all users. So you need to

check the permission of the /flash and /flash/nsconfig to be 755. Or you have

to change them to be 755, using chmod 755

/flash and chmod 755 /flash/nsconfig.

---此部分摘自于http://support.citrix.com/article/ctx114020

5, To

verify secure shell access with public key encryption on the NetScaler

On the client, verify that you can connect

to the remote NetScaler by using SSH, without entering the password. At the

prompt, type:

ssh –i rsa nsroot@NSIPaddress

You should not be prompted for a password.

Example

ssh [email protected]

補充：

NetScaler的9.1之前版本的ssh認證authorized_keys是儲存在/root/.ssh目錄的，由于該目錄在裝置重新開機後會丢失，是以需要在/nsconfig目錄下新編輯一個檔案rc.netscaler用于NetScaler啟動後自動運作，類似于/etc/rc.local。NetScaler啟動後不會執行/etc/rc.local而是執行/nsconfig/rc.netscaler。檔案内容如下：

root@ns # cat rc.netscaler #!/bin/sh mkdir -p /root/.ssh echo 'ssh-rsa h9u+OwOYJaCnWor9G*******= admin@host1（此為在client生成的public-key）' > /root/.ssh/authorized_keys chmod -R 700 /root/.ssh chmod 600 /root/.ssh/*

而9.1之後的版本（包括9.1）的ssh認證authorized_keys是儲存在/nsconfig/ssh目錄的。也許是考慮到/root/.ssh目錄重新開機後會消失的緣故，是以修改了一下。