In the past, the combination of a username and password was a typical way of handling user authentication. As hackers started developing more sophisticated ways of cracking authentication, such as brute-force attacks and sniffing, SSH was born. SmartLogin is an extension of SSH that supports "live" lookups of authentication information.
In this topic:
In general, public key authentication is far more secure than password authentication because it falls in the "what you have" category of authentication, as opposed to "what you know". A client starts by generating an SSH key pair: a public key and a private key. When a client connects to a server through SSH, it sends the public key to the authenticating server and the server verifies the client has the corresponding private key before granting access. This renders public key authentication many orders of magnitude more difficult to crack than password authentication.
The trouble with SSH authentication in cloud computing is public and private keys are typically stored in a static file format, such as a an authorized_keys file in a standard place on the server filesystem, such as /home/username/.ssh/authorized_keys. That file literally contains a list of SSH formatted public keys that are allowed to log in as the specified user.
SmartLogin refers to the set of components that run as part of the Joyent Public Cloud and enable "live" public key authentication over SSH. The term "live" refers to authentication that checks against a cached value stored through the Customer API rather than a value stored in a static format such as an authorized_keys file. SmartLogin allows you to dynamically update SSH key information through the Cloud Management portal and those updates are automatically propagated across all SmartMachines you provision in the Joyent Public Cloud.
Instead of generating user accounts and passwords on each newly provisioned SmartMachine, SmartMachines in the Joyent Public Cloud use information maintained by SmartLogin for authentication. By default, SmartMachines are pre-configured with root and admin.user accounts. When you log into a SmartMachine with one of these user accounts using SSH, SmartLogin looks for a public key that corresponds to a private key in the client machine in the following places:
- The ~/.ssh/authorized_keys file for the account. This is the typical way that SSH works.
- The cache memory for the datacenter.
- If SmartLogin is unable to find the key in cache memory, it will search for the key in the customer record of the SmartMachine owner.
|On SmartMachine Base images, password authentication is disabled. This means you will need to generate an SSH key before you can access systems provisioned from the SmartMachine Base image.|
Although SSH keys are more secure, you may prefer to access your SmartMachines through a standard username and password. Once you have used your SSH key to access a machine, you can revert to using a login name and password if you prefer.
For machines provisioned from the SmartMachine Plus image, you need to enable password access for one of the pre-configured accounts. Once you do that, you can disable the SmartLogin plugin and the live SSH key lookup on any given SmartMachine by doing the following:
|Before disabling SmartLogin, ensure you do one of the following first:
- Open this file:
- Comment out the following line like this:
- Save and close the file.
- Restart the SSH service:
SmartLogin is now disabled.
SmartMachines you provision from the SmartMachine Base image do not include pre-configured user accounts. On these machines, ensure you SSH in as the root user before disabling SmartLogin and set the password for the root and admin users: