About SmartLogin

Modified: 05 Jan 2015 18:04 UTC

In the past, the combination of a username and password was a typical way of handling user authentication. As hackers started developing more sophisticated ways of cracking authentication, such as brute-force attacks and sniffing, SSH was born. SmartLogin is an extension of SSH that supports "live" lookups of authentication information. 

In this topic:

At a Glance

This topic explains how authentication in the Joyent Public Cloud works with SmartLogin.

Password Authentication vs. SSH Key Authentication

In general, public key authentication is far more secure than password authentication because it falls in the "what you have" category of authentication, as opposed to "what you know". A client starts by generating an SSH key pair: a public key and a private key. When a client connects to a server through SSH, it sends the public key to the authenticating server and the server verifies the client has the corresponding private key before granting access. This renders public key authentication many orders of magnitude more difficult to crack than password authentication. 

Static vs. "Live" Lookup

The trouble with SSH authentication in cloud computing is public and private keys are typically stored in a static file format, such as a an authorized_keys file in a standard place on the server filesystem, such as /home/username/.ssh/authorized_keys. That file literally contains a list of SSH formatted public keys that are allowed to log in as the specified user. 

SmartLogin refers to the set of components that run as part of the Joyent Public Cloud and enable "live" public key authentication over SSH. The term "live" refers to authentication that checks against a cached value stored through the Customer API rather than a value stored in a static format such as an authorized_keys file. SmartLogin allows you to dynamically update SSH key information through the Cloud Management portal and those updates are automatically propagated across all SmartMachines you provision in the Joyent Public Cloud.

How SmartLogin Works

Instead of generating user accounts and passwords on each newly provisioned SmartMachine, SmartMachines in the Joyent Public Cloud use information maintained by SmartLogin for authentication. By default, SmartMachines are pre-configured with root and admin.user accounts. When you log into a SmartMachine with one of these user accounts using SSH, SmartLogin looks for a public key that corresponds to a private key in the client machine in the following places:

  1. The ~/.ssh/authorized_keys file for the account. This is the typical way that SSH works.
  2. The cache memory for the datacenter. 
  3. If SmartLogin is unable to find the key in cache memory, it will search for the key in the customer record of the SmartMachine owner.
On SmartMachine Base images, password authentication is disabled. This means you will need to generate an SSH key before you can access systems provisioned from the SmartMachine Base image.

Disabling SmartLogin 

Although SSH keys are more secure, you may prefer to access your SmartMachines through a standard username and password. Once you have used your SSH key to access a machine, you can revert to using a login name and password if you prefer.

Disabling SmartLogin for SmartMachine Plus

For machines provisioned from the SmartMachine Plus image, you need to enable password access for one of the pre-configured accounts. Once you do that, you can disable the SmartLogin plugin and the live SSH key lookup on any given SmartMachine by doing the following:

Before disabling SmartLogin, ensure you do one of the following first:
  • Add the SSH key manually to the .ssh/authorized_keys file located on the SmartMachine.
  • Enable password access for one of your user accounts.
  1. Open this file:

  2. Comment out the following line like this: 
    # PubKeyPlugin libsmartsshd.so

  3. Save and close the file.
  4. Restart the SSH service:
    svcadm restart ssh

SmartLogin is now disabled.

Disabling SmartLogin for SmartMachine Base

SmartMachines you provision from the SmartMachine Base image do not include pre-configured user accounts. On these machines, ensure you SSH in as the root user before disabling SmartLogin and set the password for the root and admin users:

Changing password for root
[root@machine-ip ~]# passwd
passwd: Changing password for root
New Password:
Re-enter new Password:
passwd: password successfully changed for root
Changing password for admin
[root@machine-ip ~]# passwd admin
New Password:
Re-enter new Password:
passwd: password successfully changed for admin