Linux Nine Yin canon of nine yin Bones claw fragment 2 (SSH)

Ssh

SSH: Secure remote Login

User login authentication in two ways

Based on Passwork

Based on key

Client

Common client Tools are: Windows version of Putty, SecureCRT, xshell;linux with SSH, SFTP, SCP, slogin, etc.

Configuration file:/etc/ssh/ssh_config

SSH command

Usage: SSH [email protected] CMD

Options:

-P Port: remote server listening port

-B: Specify the source IP of the connection

-V: Debug mode

-C: Compression mode

-X: Supports X11 forwarding

-Y: Support Trust x11 forwarding

-T: Mandatory pseudo-TTY allocation example: ssh-t remoteserver1 ssh remoteserver2

SSH Client

When the client connects to the server for the first time, the server sends its own public key to the client and is saved in the client's ~./ssh/know_hosts. You will not be asked again the next time you connect.

SSH Service Login Verification

Password-based login verification

Let us summarize the following steps

(1) The client initiates an SSH request from a one-way server, and the server sends its own public key to the client

(2) The user encrypts the password according to the public key sent by the server

(3) The encrypted information back to the server, the server with its own private key decryption, if the password is correct, the user logon success

Authentication of login method based on secret key

(1) First generate a pair of keys on the client (Ssh-keygen)

(2) and copy the client's public key (Ssh-copy-id) to the server

(3) When the client sends the connection request again, including the IP, the user name

(4) After the server gets the client's request, it will look in the Authorized--keys, if there is a response to the IP and the user, will randomly generate a string, such as: ACDF

(5) The server encrypts the string using the public key copied by the client and sends it to the client.

(6) After receiving the message from the server, the client decrypts with the private key and sends the decrypted string to the service side

(7) The server accepts a string from the client, compares it to the previous string, and allows password-free login if it is consistent

Key-based authentication

Key-based authentication:

(1) Generating a key pair on the client

SSH-KEYGEN-T RSA (Specify encryption mode)-P ' (Specify empty password)-F "~/.ssh/id_rsa"

(2) Transfer the public key file to the home directory of the remote server corresponding to the user

Ssh-copy-id-i ~/.ssh/id_rsa.pub [email protected]

(3) test

(4) Implement key-based verification in SECURECRT or Xshell
Creating a Identity.pub file, create a public key, SECURECRT tools
Convert to OpenSSH compatible format (suitable for Securecrt,xshell do not need conversion format), and copied to the required log on the host on the corresponding file Authorized_keys, note that the permissions must be 600, the need to log on the SSH host to execute:
Ssh-keygen-i-F identity.pub >>. Ssh/authorized_keys

(5) Reset the private key password:
Ssh-keygen–p (Encrypt the private key)

(6) Authentication Agent (authentication agent) Confidential decrypted key
So the password only needs to be entered once
In Gnome, the agent is automatically provided to the root user
Otherwise run Ssh-agent bash

(7) Key is added to the agent by command
Ssh-add

Example: Configuring a key-based, password-free login

1. Generate key pair in client A, press 3 times enter key

[[email protected] ~/.ssh] #ssh-keygen

2. Pass the public key to the corresponding home directory of client B and rename it to Authorized_keys

3. Check if there are authorized_keys files in the directory of the client BDE ~/.ssh

4, in Client A test connection Client B, found no need to enter a password, direct login

Linux Nine Yin canon of nine yin Bones claw fragment 2 (SSH)