< Span style= "Font-size:14px;line-height:24px;background-color:rgb (255,255,255);" > If you use password Authentication to connect to the server, although Ssh using key verification can effectively solve these security risks, > You have to create a pair of keys for yourself and place the public key on the server you need to access. If you are connecting to an SSH server, the client software makes a request to the server requesting security verification with your key. After the server receives the request, look for your public key in your home directory on the server and compare it to the public key you sent. If the two keys are consistent, the server encrypts the "Challenge" (challenge) with a public key and sends it to the client software. After the client software receives a "challenge", it can decrypt it with your private key and send it to the server
window to connect to the Linux ssh using the Xshell generated key
1. Create a new connection
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/54/6B/wKioL1SBtM7AVvD9AAJOmD5we6o647.jpg "title=" Ss3.png "alt=" Wkiol1sbtm7avvd9aajomd5we6o647.jpg "/>
2. Create a key
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/54/6C/wKiom1SBtD-BfmbvAACMTl0dTzo336.jpg "title=" Ss4.png "alt=" Wkiom1sbtd-bfmbvaacmtl0dtzo336.jpg "/>
3. Encryption algorithm Here I choose RSA Encryption, 1024-bit
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/54/6B/wKioL1SBtM_j9zt0AAGDz_8NiEQ399.jpg "title=" Ss5.png "alt=" Wkiol1sbtm_j9zt0aagdz_8nieq399.jpg "/>
4. To increase security, add the encryption key password
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M01/54/6B/wKioL1SBtM_AdnCJAAFtAMbHeMk779.jpg "title=" Ss12.png "alt=" Wkiol1sbtm_adncjaaftambhemk779.jpg "/>
5. Save the public key and upload the public key to the SSH server, which can be winscp,ftp or dragged directly into the SSH Xshel interface.
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M01/54/6C/wKiom1SBtD-SAWQdAAI5ImLwUdQ969.jpg "title=" Ss1.png "alt=" Wkiom1sbtd-sawqdaai5imlwudq969.jpg "/>
6. Add the user dragon on the Linux serverand assign the password
[Email protected]~]# useradd Dragon
You have new mail in/var/spool/mail/root
[Email protected] ~]# passwd Dragon
Changing password for user dragon.
New UNIX Password:
Bad Password:it are based on a Dictionaryword
Retype new UNIX Password:
Passwd:all Authentication tokens updatedsuccessfully.
7. Switch to the Dragon user to connect to the local host in order to generate ssh,ssh in the root directory of the Dragon user .
[email protected] ~]# su Dragon
[[email protected] ~]$ ssh localhost
The authenticity of host ' localhost ' (127.0.0.1) ' can ' t is established.
RSA key fingerprint isc5:08:8a:e3:b9:fb:44:f4:0b:e3:9f:c4:d7:e2:11:8a.
Is you sure want to continueconnecting (yes/no)? Yes
warning:permanently added ' localhost ' (RSA) to the list of known hosts.
[email protected] ' s password:
[Email protected] ~]$ ls-a
. .. . bash_logout. bash_profile. bashrc. SSH
Put the public key in Dragon. SSH and change the permissions to 644
[Email protected] ~]# MV authorized_keys/home/dragon/.ssh/
[Email protected] ~]# chmod 644/home/admin/.ssh/authorized_keys
8. switch back to root to modify the SSH configuration file, note that sshd_config is the SSH server configuration file.
Remove the comments from the following items.
[Email protected] dragon]# Vim/etc/ssh/sshd_config
Rsaauthentication Yes// turn on RSA encryption
Pubkeyauthentication Yes// open Public key
Authorizedkeysfile. Ssh/authorized_keys// Key Path
Permitrootlogin No// no root login
Passwordauthentication No// Turn off password verification
After you finish editing, restart the sshd
9. Connect to server using Xshell in window
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/54/6B/wKioL1SBtM-wVAYIAAJHlGGkl3o186.jpg "title=" Ss15.png "alt=" Wkiol1sbtm-wvayiaajhlggkl3o186.jpg "/>
User Dragon Log on to the server without a password
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/54/6C/wKiom1SBtEDD9Rg4AACYb051beY166.jpg "title=" Verify.png "alt=" Wkiom1sbtedd9rg4aacyb051bey166.jpg "/>
Last Login:fri Dec 5 20:29:09 from 192.168.1.111
[Email protected] ~]$
Password Authentication for root login cannot be passed
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M01/54/6C/wKiom1SBuiqAvqXZAAFeWiohqVg161.jpg "title=" Qq20141205215829.png "alt=" Wkiom1sbuiqavqxzaafewiohqvg161.jpg "/>
SSH key verification for Linux and Linux
1.ssh-server Add User adminand assign a password.
[[email protected] ~]# Useradd admin
[[email protected] ~]# passwd admin
Changing password for user admin.
New UNIX Password:
Bad Password:it are based on a Dictionaryword
Retype new UNIX Password:
Passwd:all A
Uthentication Tokens updated successfully.
2. switch to admin in the root directory ssh locally, generate . SSH
[[email protected] ~]$ ssh localhost
The authenticity of host ' localhost ' (127.0.0.1) ' can ' t is established.
RSA key fingerprint isc5:08:8a:e3:b9:fb:44:f4:0b:e3:9f:c4:d7:e2:11:8a.
Is you sure want to continueconnecting (yes/no)? Yes
warning:permanently added ' localhost ' (RSA) to the list of known hosts.
[email protected] ' s password:
[Email protected] ~]$ ls-a
. .. . bash_logout. bash_profile. bashrc. SSH
[Email protected] ~]$
3. switch back to root and modify the configuration file /etc/sshd_config
Rsaauthentication Yes// turn on RSA encryption
Pubkeyauthentication Yes// open Public key
Authorizedkeysfile. Ssh/authorized_keys// Key Path
Permitrootlogin No// no root login
Passwordauthentication No// Turn off password verification
4. generate the public key on the client, and the SCP is uploaded to the Ssh-server
[Root$localhost ~]$ ssh-keygen-t RSA
Generating public/private RSA key pair.
Enter file in which to save the key (/HOME/ADMIN/.SSH/ID_RSA):
Enter passphrase (empty for no passphrase):
Enter same Passphrase again:
Your identification has been saved In/home/admin/.ssh/id_rsa.
Your public key has been saved in/home/admin/.ssh/id_rsa.pub.
The key fingerprint is:
57:10:42:a9:87:d8:03:1d:f0:b0:f0:4d:5d:08:ea:[email protected]
[Root$localhost ~]$ ls. ssh
Id_rsa id_rsa.pub known_hosts
[Root$localhost. ssh]$ SCP [Email protected]:/root/
The authenticity of host ' 192.168.24.169 (192.168.24.169) ' can ' t be established.
RSA key fingerprint is 01:77:02:41:8b:f3:86:3e:e9:58:b3:f2:91:34:91:90.
Is you sure want to continueconnecting (yes/no)? Yes
warning:permanently added ' 192.168.1.149 ' (RSA) to the list of known hosts.
[email protected] ' s password:
Id_rsa.pub 100% 409 0.4kb/s 00:00
5. in ssh-sever, store the public key in /home/admin/.ssh/, and change the permissions to 644
[Email protected] ~]# MV Id_rsa.pub/home/admin/.ssh/authorized_keys
[Email protected] ~]# chmod 644/home/admin/.ssh/authorized_keys
6. The client is denied access via the key ssh-seve,root .
[Root$localhost. ssh]$ ssh-ladmin192.168.1.149
Last Login:thu Mar 20:28:28 fromlocalhost.localdomain
[Email protected] ~]$
This article from "Dragon Love Xue Qi" blog, declined reprint!
SSH uses key verification