Replacing the Default Public or Private Key Pair
Currently, only the ibc_os_hsuser can use digital signature RSA to use SSH to log in to the device without a password on the heartbeat port. To ensure account security, it is recommended that you replace the default ibc_os_hs public/private key pair with your own key pair. You can generate a public/private key pair as instructed by the following or use other tools to generate one. Currently, the ibc_os_hs user only supports RSA.
Operation
- On a device running Linux, log in as root, run the ssh-keygen -t rsa command to generate a public/private key pair, and press Enter to accept all the default settings. A private key file id_ras and a public key file id_rsa.pub are generated and are saved in the /root/.ssh/id_rsa file, as shown in Figure B-1.
- Run the mv command to rename the public key file id_rsa.pub to authorized_keys.
mv /root/.ssh/id_rsa.pub /root/.ssh/authorized_keys
- Run getremotefile to upload private key file id_rsa and public key file authorized_keys to the /home/permitdir directory of each controller on disk arrays.
- Log in to the controllers and enter the developer mode by running the following command:
admin:/>change user_mode current_mode user_mode=developer developer:/> \\ Login succeeds.
Switch to the minisystem mode, run changeibckey to replace the public and private keys of ibc_os_hs, and store the keys to disks.
Figure B-2 Replacing the public and private keys of ibc_os_hs