[Linux] using Ssh-keygen to generate RSA keys in the Linux CLI

RSA is a public-key cryptography algorithm, which was presented in 1977 by Ron Rivest of MIT, Adi Shamir, Leonard Adleman, so the algorithm is named after the first letter of the three-person surname.

SSH is the secure shell abbreviation, which is a security protocol based on the application layer and the transport layer, providing a secure transport and usage environment for the Shell running on the computer.

Traditional rsh, FTP, POP, and Telnet network protocols are easily attacked by middlemen because they are transmitted in plaintext. To prevent the remote transmission of information from leaking, the SSH protocol supports encrypting the transmitted data, so it can also prevent DNS and IP spoofing. In addition, the data transmitted by the SSH protocol can be compressed, so it can speed up the data transfer. The initial SSH protocol was developed by the Finnish Tatu Ylönen in 1995 and is currently owned by SSH Communications Security, and since October 1999 open source software OpenSSH was developed for copyright reasons, it has become the de facto standard implementation of SSH protocol (SSH Communications Security provides SSH software that uses a different private key format than the OpenSSH)and is also the current Linux standard configuration.

Basic framework

　　The SSH protocol is divided into three main protocols:

1. Transport Layer Protocol (the Transport layer Protocol): The Transport Layer protocol provides server authentication, data confidentiality, information integrity and other support.

2. User authentication protocol (authentication Protocol): User authentication protocol provides client authentication for the server.

3. Connection Agreement (the Connection Protocol): The connection protocol divides the encrypted information tunnel into logical channels for use in higher-level application protocols.

Authentication method

SSH provides two types of security verification methods:

1. Password-based: The client logs on to the server using the account and password, and all transmitted data is encrypted. But there may be fake servers that impersonate a real server to interact with the client and cannot avoid a man-in-the-middle attack.

2. Based on the key: use a pair of keys (private key + public key) to place the public key on the server registration. When a user logs on to a server from a client, the server receives a security authentication request using the key (that is, the public key registered on the server), the server is first compared to the public key that is sent from the client and the public key registered with the client, and if it is consistent, the server uses that public key to encrypt data to "challenge"[ 1], thus avoiding man-in-the-middle attacks.

Tools provided by OpenSSH

The OpenSSH provides several tools:

1. SSH: Implements the SSH protocol to establish a secure connection, which replaces the earlier rlogin and Telnet.

2. SCP, SFTP: Remotely transfer files using the SSH protocol, which replaces the earlier RCP.

3. SSHD:SSH server daemon, running on server side.

4. Ssh-keygen: Used to generate RSA or DSA key pairs.

5. Ssh-agent, Ssh-add: A tool for managing keys.

6. Ssh-keyscan: Scans the hosts in the network to record the found public key.

　　

Generate key Pair

Use Ssh-keygen to generate a key pair (private key + public key):

$Ssh-keygenGenerating Public/private RSA key pair. Enterfile inch whichTo save the key (/home/xavier/.SSH/id_rsa): Id_rsaenter Passphrase (empty forno passphrase): Enter same passphrase Again:your identification has been savedinchId_rsa. Your public key has been savedinchid_rsa.pub.The Key fingerprint is:ce: the: -: 3d:a1:3a: About: B3: on: $: +: 0f:d1:cc:D 4:FA [email protected]xthe Key's Randomart image is:+--[RSA2048]----+|         .=..   || .        .+ .  || .  +  .      .   ||  o O.     O.    || O..   S O | | . . XE.     .      ||       X + | |      =         ||          . |+-----------------+

Ssh-keygen uses the RSA algorithm by default, is 2048 bits long, generates a private key file Id_rsa and a public key file Id_rsa.pub, and two files are saved by default in the user's ~/.ssh directory. You can specify the key file path in the command line interaction process, or you can set the key password, if you set the key password, you need to enter the password when you log in with the key.

The Ssh-keygen supports the-F option to specify the key file path, the-t option specifies the encryption algorithm, the-B option specifies the key length, the-n option specifies the key password, and the-C option specifies the comment.

As soon as the public key file Id_rsa.pub is submitted to the server, the string containing the file is read and appended to the server-side user's home directory ~/.ssh/authorized_keys file, the client holding the private key can log on to the server using the SSH protocol.

Public key fingerprint

Since the public key length is generally 1024 or 2048 bytes, it is inconvenient to make a comparison, so a shorter string is usually used to represent it, and this is the public key fingerprint. Public key fingerprint calculation method is generally the public key string MD5 or SHA-1, such as a digest calculation, a 1024-byte length of the RSA algorithm public key, the fingerprint computed after the public key fingerprint only a (MD5 digest) bytes or (SHA-1) bytes.

You can use the Ssh-keygen tool to calculate the public key fingerprint:

Ssh-keygen -L-F id_rsa.pub2048 CE:--:: 3d:a1:3a: £ º B3:  ::0f:d1:cc:d 4:fa  [email protected] (RSA)

If the client is accessing the server for the first time, the following information is prompted:

$SSH[Email protected]192.168.1.5The authenticity of host'192.168.1.5 (192.168.1.5)'Can't be established.RSA key fingerprint is 1c:bb:f1:e5: +: the: the:d 3:Panax Notoginseng: B7:8f:b3:4a:6f:b6: -. Is you sure want to continue connecting (yes/no)?Yeswarning:permanently added'192.168.1.5'(RSA) to the list of known hosts.

This is because the client first connects to the target server, the client does not have the public key stub of the target server, so the system tells you the public key fingerprint used by the server you are currently connecting to (the public key fingerprint represents the public key, but the length is shorter to identify), you need to see if the fingerprint is correct, if the correct connection is established Do not establish a connection if the fingerprint is suspect.

This public key fingerprint is calculated based on the server's public key, and the server's public key is generally stored in the/etc/ssh/ssh_host_rsa_key.pub file. If you know the server public key in advance, then you can naturally easily identify the fingerprint and decide whether to establish a connection, but if the Internet is connected to a strange server, you know the public key of the target server, so that the current fingerprint is not a malicious intermediary server provided, in order to solve this problem, Server-side administrators need to announce their public key in advance, or to request a certificate from a certificate authority, the user simply use the public key, or go to the certification Authority certificate to download the certificate can identify the current connected server is a false middleman.

Once you confirm the fingerprint legitimacy and establish a connection, the client will save the server's public key in the $HOME/.ssh/known_hosts file, the next time the system automatically sends the other side of the public key is compared to the known public key, if the correct connection is directly established, If incorrect, a warning is given that the public key does not match and prevents the connection from being established.

When a connection cannot be made due to a public key mismatch, there may be several reasons why the target server has replaced the public key, and the destination server has replaced the IP address or domain name, causing you to connect to the other host causing the public key to be mismatched; Whatever the reason, you should be wary of establishing a connection.

　　

　　

Note:

[1] "challenge" refers to the server using public key encryption data sent to the client, the client uses a paired private key to decrypt the data, the client successfully decrypted after the answer sent back to the server for verification, the result is consistent challenge success, indicating that the client is a legitimate user can conduct secure communication.

Report:

1. RSA algorithm

[Linux] using Ssh-keygen to generate RSA keys in the Linux CLI