When managing Linux servers in Windows, putty is often used to log on to ssh for remote management. The default login authentication method is password authentication. Although this method is simple, you must enter a long string of passwords for each login, which is quite troublesome. In addition, if the root user is allowed to log on and open it, it may be cracked, causing serious consequences. Therefore, it is recommended that you use key login verification instead of password verification, which is simple and reliable. [Separator] [B] [color = #4169E1] I. Why do I recommend using a key to log on to [/color] [/B]? Usually, OpenSSH is used in Linux distributions to replace telnet and rsh. and other terminal services for plaintext transmission. Take Hongqi DC Server 5.0 as an example: [quote] # rpm-qa | grep-E-w 'openssh 'openssh-clients-4.0p1-1.2AXopenssh-server-4.0p1-1.2AXopenssh-4.0p1-1.2AX [/quote] and openssh supports both password and key authentication methods by default. For example, [size = 4] [B] Why Public Key Authentication [/B] [/size] is required? Generally, password authentication is used when you log on to a remote server through ssh, enter the user name and password respectively, and the two can log on if they meet certain rules. However, password authentication has the following Disadvantages: [quote] a. You cannot set a blank password (even if the system allows a blank password, it is dangerous) B) the password is easy to peek at or guess. c. If an account on the server is to be used by multiple users, all users must know the password, which may lead to password leakage, when changing the password, you must notify everyone [/quote]. using public key authentication can solve the above problem. [Quote] a) Public Key Authentication allows the use of a blank password, saving the trouble of entering a password every time you log on B) multiple users can log on to the same user c on the system through their respective keys. Even if the password of the corresponding user is changed, login will not be affected. d) If password authentication is disabled at the same time, to ensure the security of the private key, no threat from brute-force cracking [/quote] [B] [color = #4169E1] 2. Use putty to generate a key and log on to [/color] [/B] based on the principle of Public Key Authentication (See the description below ), either party can make the key pair, and the key pair can be matched successfully as long as the authenticated party has the public key information of the authenticated party. Here, we will first log on to the Linux server using putty on Windows as an example. Therefore, this key pair is made by putty. Before continuing, make sure that you have downloaded the entire putty package: Official Website: [url = http://www.chiark.greenend.org.uk /~ Sgtatham/putty/] Click [/url] the latest version: 0.60. My version is 0.55. Local download: including: PuTTY, Puttygen, PSCP, Plink, Pagent and other tools. [B] 1. Use puttygen to create a key [/B] to start the puttygen tool. To be compatible with OpenSSH keys, select [color = # FF4500] "SSH2 RSA" [/color]: click Generate and move the cursor in the key box to obtain sufficient random data for the key generation: [B] [color = # DC143C, you will see a prompt [/color] [/B] [color = # 00008B] "Please generate some radomness by moving the mouse over the blank area. "[/color] [B] [color = # DC143C] means that you can move the mouse randomly in the blank area. As the mouse moves in the blank area, the progress bar continues. Stop moving the mouse, and the progress bar stops. So move the mouse until the progress bar is full. The window after [/color] [/B] is completed is as follows: [quote] Key comment: it is a comment and does not affect the Key validity, however, it can be used as a reference for distinguishing other keys. Key passphrase and Confirm passphrase are used to protect the private Key. If this information is not entered, anyone only needs to obtain the private Key, you can log on to the system without a password. [color = # FF0000] is very dangerous [/color]. Generally, I suggest you enter it, but leave it blank for convenience, see the instructions later. [/Quote] Then, click "Save private key" to retain the private key. If the Key passphrase information is not entered, a warning will be displayed: Enter the private Key file name: [B] [color = # DC143C] ※public Key information does not need to be kept locally, puttygen can get it from the private key, which is not used for verification. [/Color] [/B] [B] 2. Copy public Key information [/B] The "Key" box in the Key information window above generates the public Key information: copy the information to a specific file on the Linux Server: [B] [color = # FF4500] ~ /. Ssh/authroized_keys [/color] [/B] Where "~" The main directory of the corresponding user. take root as an example. If the. ssh directory does not exist, create it and write the public key information to the file: [code] # mkdir ~ /. Ssh # chown 700 ~ /. Ssh # vi ~ /. Ssh/authorized_keys # chown 644 ~ /. Ssh/authorized_keys [/code] [B] [color = # DC143C] ※note: permissions on files and directories must be authenticated, the permission must be 0644, that is, prohibit others from writing information to the file. (Otherwise, some people may write their own public keys here without a password.) Because umask is usually 0022 or 0002, therefore, use chown and chmod to change the permission. [/Color] [/B] [B] 3. Use the putty key to log on to [/B] and perform some simple configuration on the putty to log on to the Linux server with the key. Select Connection-SSH-Auth and enter the key Path in "Private key file for authentication". Then, enter the login User Name in "Auth-login username" of Connection, for example, root: ◎ Putty 0.60 is on the Connection-Data page. Click "Open". If everything is normal, you can Save the configuration in the session. [B] [color = #4169E1] 3. Use OpenSSH to generate a key [/color] [/B]. You can use putty or OpenSSH to generate a key. [B] 1. Generate a key in Linux [/B] Run: [quote] # ssh-keygen-t rsaGenerating public/private rsa key pair. enter file in which to save the key (/root /. ssh/id_rsa): <-Key Path Enter passphrase (empty for no passphrase): <-key protection Password Enter same passphrase again: Your identification has been saved in/root /. ssh/id_rsa. <-Private key Your public key has been saved in/root /. ssh/id_rsa.pub. <-Public key The key fingerprint is: 17: 28: 4c: c3: e4: 18: d4: c2: 31: Bd: be: a7: a9: d4: a8: 48 root@mail.linuxfly.org [/quote] [B] 2. Write Public Key information into the authorized_keys file [/B] Run: [code] # cd ~ /. Ssh # cat id_rsa.pub> authorized_keys [/code] [B] 3. Generate the putty Private Key [/B] because SSH standard does not have the format of the fixed key file. The private key format used by Putty is a little different from that generated by OpenSSH. You need to convert it. A) Upload id_rsa to Windows Server B) Use puttygen's "Load" to read the public key information of the id_rsa file. It should be consistent with id_rsa.pub. C) Click "Save private key" to retain the private key. D) putty can use the new private key to log on to the server. [Newpage] [B] [color = #4169E1] IV. Notes [/color] [/B] [B] 1. Check OpenSSH server configuration [/B] [quote] OpenSSH configuration is usually stored in: /etc/ssh/sshd_configPermitRootLogin no # prohibit the root user from logging on to StrictModes yes # Check whether the key user and permissions are correct. The default RSAAuthentication # enable RSA Authentication AuthorizedKeysFile. ssh/authorized_keys # verify the public key storage path PubkeyAuthentication yes # enable public key authentication PasswordAuthentication no # Disable password authentication, which is enabled by default. [/Quote] Description: a) if StrictModes is yes and authorized_keys has the following permissions: [quote] bad ownership or modes for file/home/linuxing /. ssh/authorized_keys [/quote] B) If PasswordAuthentication is set to no, password authentication is disabled. It is safer to enable public key authentication. [B] 2. Public Key storage path [/B] Putty as the client does not need to use the public key, while the public key of the Linux server is stored in :~ /. Ssh/authorized_keys. That is to say, if the login user's home directory is different, the storage path is different. For example, a user: [quote] $ echo ~ /Home/linuxing:/home/linuxing /. ssh/authorized_keys [/quote] if you want to use the same private key, but different users log on to the server, ensure that the public key information has been written into the authentication file for each user. Make sure that the users and permissions of the authentication file are correct. [B] 3. Key passphrase password [/B] If you enter the Key passphrase password when saving the private Key. This information is used to encrypt the private key. This will bring a benefit: [color = # FF4500] means that if your private key is stolen, but if the thief does not know the password, he cannot use the private key to log on to the server. [/Color] In short, security is enhanced. A) When putty uses this private key to log on to the server, a prompt is displayed: only the correct password can pass authentication. [B] [color = # DC143C] ※it seems similar to using password authentication to log on to OpenSSH. But it is actually completely different. This Key passphrase password is used to manage the private Key to avoid theft of the private Key. OpenSSH password authentication refers to the user password on the Linux server, that is, the PAM information. That is to say, even if you modify the PAM password, you can log on to the server as long as the Key passphrase information is correct. (Because the private Key extracted using it is not changed) [/B] [/color] B) if you need to enter the Key passphrase for each login, obviously, we cannot simplify the login steps. To ensure security and simplicity, we can use [color = # FF4500] PAGEANT [/color]. The function of PAGEANT is very simple, that is, after we enter a private key password, save the decrypted private key in PAGEANT. When you use putty to log on again, PAGEANT will automatically use the decrypted private key for authentication, so that we do not need to enter the password multiple times. When we exit PAGEANT, the private key is automatically deleted and needs to be verified again when we log on again. [Color = # 00008B] [/color] is implemented for "one verification and multiple use. Open PAGEANT and it will be automatically placed in the taskbar in the lower-right corner of Windows. Right-click it and select "View Keys". In the pop-up box, select "Add Key" and enter the private Key of Putty (. PPK), and the system will prompt you to enter the Key passphrase: Result: You can directly select "Add Key" in the menu. In this case, Key passphrase is not required to log on to the server again using putty. [B] [color = # 00008B] ◎ in fact, even if the private Key of the Key passphrase is not available, it can be imported into PAGEANT, in this case, you do not need to specify the Private Key Path in the Putty configuration file. It can also achieve certain security goals. [/Color] [/B] c) If you want to modify the Key passphrase, you can use puttygen to re-Load the private Key. The Key passphrase information will be consulted. after entering the correct password, you can modify it, and save the new private key. [B] [color = # 00008B] whether the Key passphrase exists or is modified does not change the public Key information. [/Color] [/B] [B] 4. Save the configuration information of putty. [/B] The configuration information of putty is saved in the Windows registry. Use the following command to export: [code] regedit/e PuTTY. config. reg "HKEY_CURRENT_USER \ Software \ SimonTatham \ PuTTY" [/code] [B] 5. Use the DSA key [/B] under the default configuration, openSSH supports both RSA and DSA-encoded keys. You only need to select "DSA" when generating the key. For example, if [code] # ssh-keygen-t dsa [/code] is used and RSA is used, you can copy the public key information to the authentication file. [B] [color = #4169E1] 5. Principle of Public Key Authentication [/color] [/B] the so-called Public Key Authentication actually uses a pair of encrypted strings, one is called a public key, which can be seen by anyone for encryption. The other is called a private key, which can be seen only by the owner for decryption. Ciphertext encrypted by the public key can be easily decrypted using the key, but it is very difficult to guess the key based on the public key. Ssh Public Key Authentication uses this feature. Both the server and client have their own public keys and keys. These symbols are used for convenience. [Quote] Ac client public key Bc client key As server Public Key Bs server key [/quote] before authentication, the client needs to log on to the server using a secure method. The authentication process consists of two steps: [B] 1. The session key generates a [/B] client request to connect to the server, and the server sends the As to the client. The session ID (session id) generated by the server is set to p and sent to the client. The client generates a session key, sets it to q, and calculates r = p xor q. The client encrypts r with the As and sends the result to the server. The server uses Bs for decryption to obtain the r. The server performs r xor p operations to obtain q. At this point, both the server and the client know the session key q, and all future transmissions will be encrypted by q. [B] 2. Authenticate [/B] the server to generate a random number x, and generate the result S (x) after encryption with Ac, and send it to the Client client to decrypt S (x) using Bc) obtain the md5 value n (q + x) of q + x calculated by the x client. q is the md5 value m (q + x) of q + x calculated by the session key server obtained in the previous step) the client sends n (q + x) to the server to compare m (q + x) and n (q + x ), the two are the same, authentication is successful [B] [color = #4169E1] 6. References [/color] [/B] a very detailed putty instructions for use: [url = http://docs.google.com/View? Docid = ajbgz6fp3pjh2dwwwwt] http://docs.google.com/View? Docid = ajbgz6fp3pjh2dwwwwt [/url] source address open slowly, I saved a copy: [url = http://blog.3gcomet.com/article.asp? Id = 215] http://blog.3gcomet.com/article.asp? Id = 215 [/url] [url = Hangzhou