Logging into the cluster 5 times a day (we can’t imagine why but you’re the boss) and always re-attempt the login because you can never enter the password right? Concerned about the security of transmitting your password across the network? Looking for an extra security layer? All of these are valid reasons to enable key-based authentication for SSH sessions.
Generally speaking, there are two options:
-
Go completely passwordless
-
Use a combination of a public key and a password
How does it work? You generate a key pair (a public and a private keys) using RSA algorithm. You never share a private key with any other system or server. The public key, on the other hand, you add to the Prism.
With the first login public RSA key of a server (Prism in this instance) is shared with a client (session initiator) which together with the public key of the host recorded in the prism comprises a mutual public key exchange. Since the public key on its own, without its private part, is not enough to decrypt the data and the private key is never shared with any other system or person (please don’t) – voila! Enhanced security! From now on the authentication will comprise of encryption of a challenge message with a public key on the client side and decryption of that message with a private key on the server. No password transferred.
Should you wish to complicate things a little, you could use a passphrase when generating the key pair and that will become your password. Once you set it up both things would have to match: RSA keys as well as the password. The price to pay is that every time you’d wish to change password, you would have to re-generate the key pair.
The safest method to connect is, of course, to restrain from connection. You can always lockdown your cluster (please, please, please, make sure you have valid records of admin and nutanix local users for the cluster if you chose that path).
For full instructions on how to set up key-based authentication refer to KB-1895 How to create a password-less SSH login to your Nutanix cluster
Security Guide has a section on Controlling Remote (SSH) Access.
Stay safe and secure!