Key Login Step (password-free login)
SSH Login provides two kinds of authentication methods: password (password) authentication method and key authentication method. where password (password) authentication method is one of our most commonly used, for security reasons, the introduction of key authentication methods to log on to Linux/unix.
using key login is divided into 3 steps:
1. Generate Key (public key and private key);
2, place the public key into the server ~/.ssh/authorized_key file;
3. Configure the SSH client to log in using the key.
---------------------
first, the key pair is generated by the Ssh-keygen command, the key type is RSA, and the key pair can be produced by other software.
==========================================================================
[email protected]:~$ ssh-keygen-t RSA
generating public/private RSA key pair.
enter file in which to save the key (/home/pipci/.ssh/id_rsa): <== Here Enter the private key name, the direct return can be the name is the default name in parentheses
Enter passphrase (empty for no passphrase): <== Enter the password, automatic login is set to empty, the direct carriage can be
Enter same passphrase again: <== Enter the confirmation password, the direct return can be
Your identification has been saved In/home/pipci/.ssh/id_rsa. <== generated private key name and location
Your Public Key has been saved in/home/pipci/.ssh/id_rsa.pub. <== generated public key name and location
The key fingerprint is:
sha256:hsi5oo0yr1a9extgnellu/uajx1eih34gghv96fexes [email protected]
The key ' s randomart image is:
+---[RSA 2048]----+ bits of <== key
| o +o |
| . . +.. |
| M L O. |
| . B *.O.E |
| . * sobo+. |
| . . * =++ . |
| ... = + OO |
| = + +. +. O |
|+.+ . .. O... |
+----[SHA256]-----+
[Email protected]:~$
===================================================================
to view the generated key file:
===================================================================
[Email protected]:~$ ls-l. ssh/
-rw-------1 pipci pipci 1679 October 11:45 Id_rsa
-rw-r--r--1 pipci pipci 394 October 11:45 id_rsa.pub
[Email protected]:~$
===================================================================
Note two points:
1, the role of the generated key to enter the password is to protect the local private key password, that is, even if someone to use your computer or private key file, no such password still cannot use your private key, in the use of key login will also ask you to enter the password, this password is generated key pair when the password entered Used to unlock the private key file with a password of 5 characters minimum.
2, the key to generate the private key permissions must be 600 public key permissions is 644, that is, I can only view the private key file, in addition to any user other than myself to see, others can be viewed also means that anyone can log in through this private key, it is obviously not safe, the public key can be casually viewed, However, you cannot modify the content, and you can change how to pair the login. The parent directory of the key pair at the same time. SSH permissions must be 700 that only I can view and enter. If you created a new. SSH by command, the default is 700 permissions, which can be created after viewing, if not change permissions. If this is not the permission stated above, the client may be logged on with an error.
Second, the Id_rsa.pub public key file is copied to the remote server through the SCP command:
====================================================================
[email protected]:~$ scp/home/pipci/.ssh/id_rsa.pub [email protected]:/home/laopi/.ssh/
[email protected] ' s password:
id_rsa.pub 100% 394 0.4kb/s 00:00
[Email protected]:~$
=====================================================================
The SCP command is replicated, provided that the remote server has the SSH password log on and the public key file is copied to the. SSH directory that is used to manage the user's home directory. If it does not exist, create the directory first. this. SSH directory permissions
also set to 700 to not let other users into the change, the above example the IP address of the remote server is 192.168.1.166 User name Laopi (normal user)
Third, the configuration of the remote server
1. Convert or rename the uploaded public key file into a Authorized_keys file or
[email protected]:~$ cat ssh/id_rsa.pub >> ssh/authorized_keys #导成
2, edit the SSH configuration file.
Vim/etc/ssh/sshd_config
Make sure that the following two items do not precede # to make it effective
---------------------------------------------------------------
pubkeyauthentication Yes #允许公钥认证
authorizedkeysfile. Ssh/authorized_keys #指定包含用于用户身份验证的公钥的文件
---------------------------------------------------------------
Disable root account login for security reasons
Permitrootlogin No #选项前面可以加 # is commented out and the root user is also disabled
with the certificate login, disable password login, security matters
passwordauthentication No #选项前面可以加 # comment out, also disable password login
Restart the SSH service so that the SSH configuration will take effect:
[email protected]:~# systemctl Restart Sshd.service
Four, Ssh-keygen command common parameters
$ ssh-keygen parameter
Common parameters:
- t Specifies the type of key to create, such as:-T DSA (SSH-2) | ecdsa | ed25519 | RSA (SSH-2) | RSA1 (SSH-1)
-B bits specifies the key length. For RSA keys, the minimum requirement is 768 bits, the default is 2048-bit
-C Comment provides a comment.
-N New_passphrase provides a new passphrase.
- F hostname
searches for the specified hostname in the known_hosts file and lists all occurrences. This option is primarily used to find hashed hostname/IP addresses, and can also be used with the-H option to print the hash value of the public key found.
-H hashes the known_hosts file. This replaces all host name/IP addresses in the file with the corresponding hash values. The contents of the original file will be saved after an ". old" suffix is added. These hash values can only be used by SSH and sshd. This option does not modify an already hashed hostname/IP address, so it can be used safely on files that have been hashed by some public key.
- R hostname
removes all keys belonging to hostname from the known_hosts file. This option is primarily used to remove the key from the hashed host (see-H option).
- f filename Specifies the key file name
-L Displays the thumbprint data of the public key file. It also supports RSA1 's private key. For RSA and DSA keys, the corresponding public key file is looked up and its thumbprint data is displayed.
1. View Id_rsa.pub's public key fingerprint
[Email protected]:~$ ssh-keygen-lf. Ssh/id_rsa.pub
2048 sha256:hsi5oo0yr1a9extgnellu/uajx1eih34gghv96fexes [email protected] (RSA)
1. View fingerprint data in MD5 way
[email protected]:~$ ssh-keygen-e md5-lf. Ssh/id_rsa.pub
2048 md5:fa:ba:4b:35:18:7f:5f:94:f0:6b:b5:7a:89:98:f9:a5 [email protected] (RSA)
Debian9.5 SSH Key Login configuration step (password-free login) and Ssh-keygen command Common parameters