When we ssh to a Linux host, we need to enter the account password. In order to password-free login, we usually use SSH key authentication method. The principle is probably as follows:
We want to log in from a host SSH to Host B, usually we generate a key pair on the a host, and then pass the public key of the a host to the. ssh/authorized_keys file in an account home directory of Host B. For example, we need to log on to Host B from the root account on host A, and we need to pass the public key of the root account on host A to the Authorized_keys file under the root account of Host B.
Lab Environment:
Host a:172.16.206.132
Host b:172.16.206.131
1. First generate a key pair on a host:
[email protected]:~/.ssh# ssh-keygen -t rsagenerating public/private rsa Key pair. enter file in which to save the key (/ROOT/.SSH/ID_RSA): Enter passphrase (empty for no passphrase): enter same passphrase Again: your identification has been saved in /root/.ssh/id_rsa. your public key has been saved in /root/.ssh/id_rsa.pub.the key Fingerprint is:82:6d:c4:a8:84:d4:f9:5f:05:42:c9:e5:64:0a:cb:c9 [email protected]the key ' s  RANDOMART IMAGE IS:+--[ RSA 2048]----+| &NBSP, .... ooo=. | |. ooo+o* . | |.  . OEO.&NBSP, .... | | . . = . | | . . = s | | . o | | | | | | |+------ -----------+
View generated files, Note file permissions
[Email protected]:~/.ssh# lltotal 16-rw-r--r--1 root root 392 Feb 01:02 authorized_keys-rw-------1 root root 1675 Ju n 21:36 id_rsa-rw-r--r--1 root root 396 June 21:36 id_rsa.pub-rw-r--r--1 root root 1976 June 21:19
Id_rsa: Private Key file
Id_rsa.pub: Public key file
Authorized_keys: Storing public key files on other hosts for SSH authentication
Known_hosts:ssh logged-on host
2. Upload the public key of a host to the root account of Host B
This operation requires the root user's password to be entered on Host B
ssh-copy-id -i ~/.ssh/id_rsa.pub [email protected] the authenticity of host ' 172.16.206.131 (172.16.206.131) ' can ' t be Established. rsa key fingerprint is 74:d8:e6:2a:9e:86:22:a7:1e:82:01:f5:79:0d:35:5a. are you sure you want to continue connecting (yes/no)? yesWarning : permanently added ' 172.16.206.131 ' (RSA) to the list of known hosts. [email protected] ' s password: now try logging into the machine, with "ssh ' [email protected] '", and check in: .ssh/authorized_keysto make sure we haven ' T added extra keys that you weren ' t expecting.
Note: The above method is equivalent to creating a Authorized_keys file directly under the/root/.ssh/directory of the root account of Host B, and then copying the public key of the a host to this file. Note the permissions for the file.
3, login B host to view the Authorized_keys file, you can see the root account of a host public key
[email protected]. ssh]# Cat Authorized_keys Ssh-rsa aaaab3nzac1yc2eaaaabiwaaaqeaszoybigl5zu1bnetcdnjqryhiwz1rvge/ Bhp/dwpjbhtuktaswbdae9ap85ade5rxtjt9atfkxz/v4o8e2c8fpyy1qxagctq2qab1x62svrsyvl0ee3ter0t7eiic3i1540t/nne4tc6ao5 /kc+nofjpffnqq+ Uodztdkuhwsczqd0aflrxkglame1zfhbeg54ncmz6heabmbtpmc19qrpy9c8hy5fsv851mmjrvmohriamvb0juhrnejwrkq3ojlsgm4gds3rfdj1cjvelzfsi hsikvb9xkgmpquoy5bfz2zqo6mu3owj+5lhbe9obscoc9bkzntjd9rwz2suleiq== [email protected]
4, from a host SSH login B host
[Email protected]:~# ssh [email protected]last login:thu June 11:05:21 from 172.16.206.1
A host login B host does not need to enter a password, directly can log in.
Extension: From the above case we can know who wants to SSH to the other host, you need to generate a key pair on this computer, and then the public key to the Authorized_keys file under the other account. But if there is a scenario where there are many hosts that want to SSH in to a host, but do not want to create a key pair on each host, what should I do?
The private key file of a host can be copied to each host, and then the public key of a host is copied to the Authorized_keys file of host A, so that a host takes the public key, the other host takes the private key, it can realize SSH key authentication.
Summary: SSH key authentication is very flexible, as long as the key pair is matched, you can achieve authentication, regardless of the key pair is generated by WHO.
This article is from the "Zengestudy" blog, make sure to keep this source http://zengestudy.blog.51cto.com/1702365/1825623
SSH key authentication