SSH remote login principle and Putty password-free authentication login Server

As an OPS person log in to the server this action is higher than the frequency at which we eat and drink. In general, no one all day in the computer room management of the company server, the room this place for our healthy life can be less or less to stay, after all, radiation this thing is accumulated injury.

We usually manage through the terminal remote control server, the previous terminal is transmitted through the Telnet protocol to complete the remote login. However, the Telnet protocol is transmitted in clear text on the Internet, and you can get the account password of your server by grabbing a clutch tool wherever the packet passes. Now, an important criterion for evaluating the network security assessment is to see if your network device and the server's Telnet service are turned off.

In order to solve the problem that the Telnet protocol is unsafe, SSH is the protocol which encrypts the transmitted data to ensure the security of the communication.

The full name of SSH is that secure shell is an application-layer protocol that uses TCP port 22nd by default. SSH is only a protocol, its implementation must be completed by the application, Linux under the usual server is OpenSSH. In Windows below the terminal we usually use Xshell, SECURECRT, putty and so on.

We use Terminal login server process is like this, the first user sends a message to the service side----the service received a message to the user to send their own public key to the users---users of their own account password with the service side of the public key encryption sent to the service side----The server received the message with its own private key decryption verification, Verify that the user has successfully consented to login.

However, there is a problem, if someone in the middle of a malicious interception of the login request, then he impersonating the server to send their own public key to the user, and then impersonate the client to send a login request to the real server, so that the attacker obtains the service side of the public key. Then, when the user to the password through the fake service side of the public key encryption sent to the fake server, the fake servers with their own private key decryption, the attacker also obtained the user's account password, then the attacker will then obtain the user account password with the real server's public key encryption to the real server can be successfully landed ... The attack on both ends of the hand is known as the "man-in-the-middle attack."

For SSH1 This kind of attack already constituted the serious threat, SSH2 has had the big improvement to this aspect. Specifically, at the beginning of an SSH setup, if a client receives an unknown server's public key, OpenSSH lists the warning message and asks whether to add the public key or discard the link. If you add the public key of the server to the client's local database, the public key of the server will be found automatically the next time you log in, without having to go online.

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/5D/34/wKiom1UiLdqzd1uJAAGozhT20j0304.jpg "title=" QQ picture 20150406144942.png "alt=" Wkiom1uildqzd1ujaagozht20j0304.jpg "/>

Then we can enter the username and password to log in. If we manage 100 servers in our company, we need to log on to these 100 servers at a time, do we have to login with one of the lost account passwords? SSH key authentication is necessary here.

The concrete implementation method for us in the client with asymmetric encryption algorithm to generate a pair of keys, and then upload the public key to the server you want to login under the name of the user, when we want to log on the client then crawl a piece of character encrypted with their own private key to the server, Authentication succeeds if the server can decrypt the public key after it is received.

The implementation steps are as follows:

1. First use ssh-keygen-t RSA in the server to generate a pair of keys (because openssh to putty generated key support is not good, can only be generated with the server) in the middle will require the private key plus a password, each access to the private key when the private key password, where directly press ENTER is not encrypted, After the build succeeds, execute the named user home directory under the. SSH folder that has 2 files: Id_rsa id_rsa_pub

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M01/5D/3D/wKiom1UiPG-D5NFAAAGbetn4eU4061.jpg "title=" QQ picture 20150406155757.png "alt=" Wkiom1uipg-d5nfaaagbetn4eu4061.jpg "/>

2. Append the contents of Id_rsa_pub to the user home directory that requires password-free login. Authorized_keys in the. ssh folder.

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M01/5D/3E/wKiom1UiP5fy3d2eAAHSSgHHew8322.jpg "title=" QQ picture 20150406161146.png "alt=" Wkiom1uip5fy3d2eaahssghhew8322.jpg "/>

3. Copy the private key file to local, use Putty key generator to convert Id_rsa also without password point generation

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/5D/3A/wKioL1UiQi3jmqFaAAMvpnUwPrc013.jpg "title=" QQ picture 20150406161715.png "alt=" Wkiol1uiqi3jmqfaaamvpnuwprc013.jpg "/>

4. Modify the/etc/ssh/sshd_config file, find 2 lines in the figure, remove the comment save exit, perform service sshd restart restart sshd service

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M01/5D/3B/wKioL1UiQ0KDM1MxAADS1xzeAkY255.jpg "title=" QQ picture 20150406162054.png "alt=" Wkiol1uiq0kdm1mxaads1xzeaky255.jpg "/>

5. In the Putty SSH option-Authentication that line select the path of the private key, the data there to fill in the automatic login user name can be automatic login

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/5D/40/wKiom1UiQtiBOXbnAAJ6s1KSmnk652.jpg "title=" QQ picture 20150406162434.png "alt=" Wkiom1uiqtiboxbnaaj6s1ksmnk652.jpg "/>

The effect is as follows:

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/5D/40/wKiom1UiQ17izcOIAAC5c2xBPpI567.jpg "title=" QQ picture 20150406162739.png "alt=" Wkiom1uiq17izcoiaac5c2xbppi567.jpg "/>

I use the root account to log in, in the actual server management, the root account is not allowed to log directly through the remote terminal. If you want to implement multiple hosts to verify the same private key login only need to copy the public key to the corresponding account directory of other servers.

This article is from the "left-handed" blog, make sure to keep this source http://mofeihu.blog.51cto.com/1825994/1629271

SSH remote login principle and Putty password-free authentication login Server