Accessing a NetScaler by Using SSH keys and No Password

NetScaler设备管理一般是通过ssh –l

nsroot@ip然后输入密码进行登陆管理的。但是应用发布的时候需要使用脚本进行自动登录，所以需要使用ssh的public-key进行登录而非密码登陆。所以需要按照如下步骤进行操作：

摘自：

http://support.citrix.com/proddocs/index.jsp?lang=en&topic=/netscaler/ns-initial-config-using-ssh-tsk.html

Accessing a NetScaler by Using SSH keys and

No Password

Updated: 2009-10-09

In a setup with a large number of NetScaler

appliances, you will have to store and look up passwords for each appliance

before you can log on to the appliance. To avoid this, you can set up secure

shell access with public key encryption on the appliance so that you are not

prompted for the password. To do this, you will need to first generate the

public/private key on the client and then copy the public key to the NetScaler.

1, To

generate the public/private key on a Linux client

Change directory to /root/.ssh

Generate the public and private key pair.

At the prompt, type:

[root@localhost .ssh]# ssh-keygen -t rsa

Press Enter when prompted for a file name

to save the key.

Press Enter when prompted for a passphrase.

2, To

copy the public key (id_rsa.pub) to the remote NetScaler

Log on to the remote NetScaler from the

Linux client.

Change directory to /nsconfig/ssh. At the

prompt, type:

cd /nsconfig/ssh

Change to binary mode and copy the public

key to this directory. At the prompt, type:

bin

put id_rsa.pub

3, To

set up secure shell access with public key encryption on the NetScaler

Open a connection to the NetScaler using a

telnet/SSH client, such as PuTTY.

Log on to the NetScaler with the

administrator credentials.

At the shell prompt, change the directory

to /nsconfig/ssh.

Append the public key to the

authorized_keys file and change permissions. At the prompt, type:

cat id_rsa.pub >> authorized_keys

chmod 755 authorized_keys

Remove the public key (optional). At the

rm id_rsa.pub

4, check the permissions as

bellow:

If you have stored the keys in the /nsconfig/ssh directory  which is a symbolic link to the /flash/ssh

directory and the keys do not appear to be working, then check the directory

permissions for the /flash directory. An erroneous build may have caused the

/flash directory to have full read-write-execute permissions (777). The NetScaler sshd server does not use these keys if the

containing folder has write permission to all users. So you need to

check the permission of the /flash and /flash/nsconfig to be 755. Or you have

to change them to be 755, using chmod 755

/flash and chmod 755 /flash/nsconfig.

---此部分摘自于http://support.citrix.com/article/ctx114020

5, To

verify secure shell access with public key encryption on the NetScaler

On the client, verify that you can connect

to the remote NetScaler by using SSH, without entering the password. At the

prompt, type:

ssh –i rsa nsroot@NSIPaddress

You should not be prompted for a password.

Example

ssh [email protected]

补充：

NetScaler的9.1之前版本的ssh认证authorized_keys是保存在/root/.ssh目录的，由于该目录在设备重启后会丢失，所以需要在/nsconfig目录下新编辑一个文件rc.netscaler用于NetScaler启动后自动运行，类似于/etc/rc.local。NetScaler启动后不会执行/etc/rc.local而是执行/nsconfig/rc.netscaler。文件内容如下：

root@ns # cat rc.netscaler #!/bin/sh mkdir -p /root/.ssh echo 'ssh-rsa h9u+OwOYJaCnWor9G*******= admin@host1（此为在client生成的public-key）' > /root/.ssh/authorized_keys chmod -R 700 /root/.ssh chmod 600 /root/.ssh/*

而9.1之后的版本（包括9.1）的ssh认证authorized_keys是保存在/nsconfig/ssh目录的。也许是考虑到/root/.ssh目录重启后会消失的缘故，所以修改了一下。