SSH Authentication principle

Http://www.tuicool.com/articles/qyiyim

SSH guarantees security because it uses public-key cryptography.

The entire SSH password logon process is like this:

1) The user sends a login request to the remote host: SSH [email protected] remote host

2) The remote host receives the user's login request and sends its own public key to the user.

2) The user uses this public key to encrypt the login password and send it back to the remote host.

3) The remote host with its own private key, decrypt the login password, if the password is correct, consent to user login.

On Linux, if you are logged in to the other host for the first time, the following prompt will appear:

$ SSH [email protected]
The authenticity of host ' host (12.18.429.21) ' can ' t is established.
RSA key fingerprint is 98:2e:d7:e0:de:9f:ac:67:28:c2:42:2d:37:16:58:4d.
Is you sure want to continue connecting (yes/no)?

This passage means that you cannot confirm the authenticity of the host computer, only know its public key fingerprint, ask you still want to continue to connect?
The so-called "public key fingerprint", refers to the long public key length (here using the RSA algorithm, up to 1024-bit), it is difficult to compare, so the MD5 calculation, it becomes a 128-bit fingerprint. The above example is 98:2e:d7:e0:de:9f:ac:67:28:c2:42:2d:37:16:58:4d, and then compare, it is much easier.
A natural question is, how do users know what the remote host's public key fingerprint should be? The answer is no good way, the remote host must be posted on their own web site public key fingerprint, so that users self-check.
Assuming that the risk is measured, the user decides to accept the public key of the remote host.

Continue connecting (yes/no)? Yes

The system will appear with a hint that the host hosts have been recognized.

warning:permanently added ' host,12.18.429.21 ' (RSA) to the list of known hosts.

You will then be asked to enter a password.

Password: (Enter Password)

If the password is correct, you can log in.
When the public key of the remote host is accepted, it is saved in the file $home/.ssh/known_hosts. The next time you connect to this host, the system will recognize that its public key has been saved locally, thus skipping the warning section and prompting for a password directly.
Each SSH user has its own known_hosts file, in its own $home directory, and the operating system also has one such file, usually/etc/ssh/ssh_known_hosts, which holds the public key of a remote host that can be trusted by all users.
Login with Public key (password-free)
Log in with a password, you must enter the password every time, very troublesome. Fortunately, SSH also provides a public key login, which eliminates the steps to enter a password.
The so-called "public key Login" principle is simple, that is, the user stores their own public key on the remote host. When logged in, the remote host sends a random string to the user, which is encrypted with his or her private key and then sent back. The remote host decrypts with the pre-stored public key, if successful, proves that the user is trustworthy, directly allows the login shell, no longer requires a password, which is not directly related to the previous SSH account password.
This approach requires the user to provide their own public key. If there is no ready-made, you can generate one directly with Ssh-keygen:

$ ssh-keygen

After you run the above command, a series of prompts will appear and you can return all the way. One of the questions is whether you want to set a password on the private key (passphrase), and if you are concerned about the security of the private key, you can set one here.
At the end of the run, the $home/.ssh/directory will be reborn into two files: Id_rsa.pub and Id_rsa. The former is your public key, and the latter is your private key.
Then enter the following command to transfer the public key to the remote host hosts:

$ ssh-copy-id [email protected]

Well, since then you log on to the remote host, you do not need to enter a password.
If not, open the remote host's/etc/ssh/sshd_config this file, check the following lines before the "#" comment is removed.

Rsaauthentication Yes   pubkeyauthentication Yes   authorizedkeysfile. Ssh/authorized_keys

Then, restart the remote host's SSH service.
about the Authorized_keys file
The remote host stores the user's public key in the $home/.ssh/authorized_keys file of the user's home directory after logging in. The public key is a string, just append it to the end of the Authorized_keys file.
If you are not using the Ssh-copy-id command above, you can use the following command instead:
# scp-p id_rsa.pub [email Protected]:/root/.ssh/authorized_keys
[email protected] ' s password: <--Enter the root user password for the machine server
Id_rsa.pub 100% 218 0.2kb/s 00:00
If the remote host's Authorized_keys file already exists, you can add a public key to it:
Upload the public key file to the remote host first,
#scp-P ~/.ssh/id_rsa.pub [email protected]:/root/
SSH to login to the remote host, append the public key to the Authorized_keys file
Cat/root/id_rsa.pub >>/root/.ssh/authorized_keys
or run the command directly:
Cat ~/.ssh/id_dsa.pub|ssh-p [email protected] ' cat->> ~/.ssh/authorized_keys '
After writing the Authorized_keys file, the settings for the public key login are complete.

SSH Authentication principle