OpenSSH password-less access configuration

Install OpenSSH in Ubuntu:

Sudo apt-Get install OpenSSH-Server

I. Problem Description

Assume that machine a is the customer machine, and machine B is the target machine;

Goals:
Machine A does not need to enter a password to log on to machine B through SSH;
Select RSA for encryption. | DSA is supported. The default value is DSA.

Ii. Procedure

One-way login operation process (to meet the above objectives ):
1. log on to machine
2. Ssh-keygen-T [RSA | DSA] will generate the key file and private key file id_rsa, id_rsa.pub or id_dsa, id_dsa.pub
3. Copy the. Pub file to the. Ssh directory of machine B and CAT id_dsa.pub> ~ /. Ssh/authorized_keys
4. As a result, you can log on to the target account of machine B from machine A without a password. (directly run# SSH 192.168.20.60)

Two-way login operation process:

1. Ssh-keygen performs password verification to enable SSH on the opposite machine. SCP does not need to use the password. The specific method is as follows:
2. perform the following operations on both nodes:# Ssh-keygen-T RSA
Then press enter to use the default value.

3. A key pair is generated and stored in the user directory ~ /. Ssh.
Test the public key to the user directory of the target machine.And copy it ~ /. Ssh/authorized_keys (operation command:# Cat id_dsa.pub> ~ /. Ssh/authorized_keys).

4. Set file and directory permissions:

Set authorized_keys Permissions
$ Chmod 600 authorized_keys
Set. Ssh Directory Permissions
$ Chmod 700-R. SSH

5. Ensure that. SSH and authorized_keys have write permission only for the user. Otherwise, the verification is invalid. (This is the problem we have encountered today. I have been looking for a long time.) In fact, I think about it carefully to avoid system vulnerabilities.

When I access 20.60 from 20.59, the following error is prompted:

The authenticity of host'1970. 168.000059 (192.168.000059 )'Can't be established. RSA key fingerprint is 6a:37: C0: E1:09: A4:29: 8d:68: D0: CA:21:20:94: Be:18. Are
You sure you wantContinueConnecting (Yes/No )? Yes Warning: Permanently added
'1970. 168.20.59'(RSA) to the list of known hosts. Root192. 168.20.59'S password: Permission denied, please
TryAgain. Root192. 168.20.59'S password: Permission denied, please
TryAgain. Root192. 168.20.59'S password: Permission denied (publickey, gssapi-with-mic, password ).

Iii. Summary

1. Do not set the file and directory permissions to chmod 777. This permission is too large, insecure, and not supported by digital signatures.

2. The generated RSA/DSA Signature public key is used by the other machine. The public key must be copied to authorized_keys.

3. Access the IP address of the SSH machine directly between Linux

4. A machine generates its own RSA or DSA digital signature, sends the public key to the target machine, and then sets the relevant permissions (Public Key and authorized_keys permissions) after receiving the request ), this target machine can be accessed!