"Hadoop series" Linux SSH Principle analysis

In this paper, italic bold represents shell instructions, operating environment CentOS6.5

Linux root password-free login link: "Hadoop series" Linux root user password-free login to remote host SSH.

Linux non-root user password-free login: XXXXXXX (not yet written)

Under Linux, log on to the remote computer using the SSH protocol. Let's start by knowing what SSH is.

One, what is SSH?

Simply put, SSH is a network protocol that is used to encrypt logins between computers.
If a user logs on to another remote computer using the SSH protocol from the local computer, we can assume that the login is secure, and that the password will not be compromised even if intercepted in the middle.
The earliest time, the Internet communication is clear communication, once intercepted, the content is undoubtedly exposed. In 1995, Finnish scholar Tatu Ylonen designed the SSH protocol to encrypt all login information and become a basic solution for Internet security, which has become a standard configuration for Linux systems.
It should be noted that SSH is only a protocol, there are many implementations, both commercial and open source implementation. The implementation of this article is OpenSSH, it is free software, the application is very extensive.

second, the most basic usage

SSH is primarily used for remote logins. Suppose you want to log in to the remote host hostname with the username user, as long as a simple command is available.
SSH [email protected]
If the local user name matches the remote user name, the user name can be omitted at logon.
SSH Host
The default port for SSH is 22, which means that your login request is sent to port 22 on the remote host. Using the P parameter, you can modify this port.
Ssh-p 2222 [email protected]
The above command indicates that SSH connects directly to port 2222 of the remote host.

third, man-in-the-middle attack

ssh is safe because it uses public-key cryptography.

(1) The remote host receives the user's login request and sends its own public key to the user.
(2) The user uses this public key to encrypt the login password and send it back.
(3) The remote host uses its own private key, decrypts the login password and, if the password is correct, consents to the user's login.


SSH protocol coping?

Four, password login

If you are logged in to the other host for the first time, the following prompt will appear:
[email protected]. ssh]# SSH 192.168.31.230
The authenticity of host ' 192.168.31.230 (192.168.31.230) ' can ' t be established.
RSA key fingerprint is bc:0a:19:0b:16:d1:45:7b:ee:73:3b:a1:ed:55:e7:90.
Is you sure want to continue connecting (yes/no)?
This passage means that you cannot confirm the authenticity of the host computer, only know its public key fingerprint, ask you still want to continue to connect?
a natural question is, how do users know what the remote host's public key fingerprint should be?
The answer is no good way, the remote host must be posted on their own web site public key fingerprint, so that users self-check.
assuming that the risk is measured, the user decides to accept the public key of the remote host.
Is you sure want to continue connecting (yes/no)? Yes
the system will appear with a hint that the host hosts have been recognized.
warning:permanently added ' 192.168.31.230 ' (RSA) to the list of known hosts.
you will then be asked to enter a password.
If the password is correct, you can log in.
when the public key of the remote host is accepted, it is stored in the file/root/.ssh/known_hosts (client). The next time you connect to this host, the system will recognize that its public key has been saved locally, thus skipping the warning section and prompting for a password directly.

Five, public key login

log in with a password, you must enter the password every time, very troublesome. Fortunately, SSH also provides a public key login, which eliminates the steps to enter a password.
The so-called "public key Login" principle is simple, that is, the user stores their own public key on the remote host.
when logged in, the remote host sends a random string to the user, which is encrypted with his or her private key and then sent back. The remote host decrypts with a pre-stored public key and, if successful, proves that the user is trustworthy, allowing the login shell to be logged in and no longer requiring a password.
This approach requires the user to provide their own public key. If there is no ready-made, you can generate one directly with Ssh-keygen:
ssh-keygen-t rsa-p "(empty" means default for path)
[[email protected] ~]# ssh-keygen-t rsa-p '
generating public/private RSA key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
then enter. The system generates a Id_ras (private key) and id_rsa.pub (public key) two files under/root/.ssh/id_rsa.
then restart the sshd service

vi.. authorized_keys file

The remote host stores the user's public key in the/root/.ssh/authorized_keys file of the user's home directory after logging in. The public key is a string, just append it to the end of the Authorized_keys file.
Cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys

"Hadoop series" Linux SSH Principle analysis