[Go] SSH key authentication mechanism

SSH login verification with RSA key pair

The advantage of using RSA key pair to verify SSH is 1) no password 2) is more secure than password authentication; The disadvantage is 1) The first configuration is a bit of a hassle. 2) The private key needs to be carefully saved. Anyway with key verification is more convenient than password authentication. It is recommended that all users use key authentication.

Directory

1. Generate key Pair
2. Upload key
3. ~/.ssh Related file permissions
4. over~
5. Attached: Principle of public key cryptography
   1. Further reading

1. Generate a key pair

OpenSSH provides Ssh-keygen for generating a key pair without any parameter calls:

% Ssh-keygengenerating public/private RSA key pair.  

If you have not generated a key pair before, go directly to the line. You will then be asked "passphrase", which is the password used to encrypt the private key. If you don't know how to use it, just use a blank password (which, of course, will reduce security). The key pair is generated after pressing ENTER two times:

Enter passphrase (empty for no passphrase):Enter same Passphrase again:Your identification has been saved in/home/xiaq/.ssh/id_rsa.2.your public key have been saved In/home/xiaq/.ssh/id_rsa.2.pub.the key fingerprint is:8a:77:ec:a1:77:42:8d:5d:ab:17:33:ac:87:06:20:3c [Email protected] the key ' s randomart image is:+--[RSA 2048]----+< Span id= "line-9" class= "anchor" >| | | | |. | | E. . | | O. S+ O. | |. o+ O * | |. o.+. + + | |. +o.* O | | ... + o | +-----------------+          

Well, there will be a lot of fancy output that can be all. This gives you a couple of keys where you just specified, where the private key is the name specified above, and the public key has a ". Pub" suffix.

don't share your private key with anyone. public keys can be distributed everywhere.

2. Upload key

Upload your public key to the remote remote SSH server with SCP and append the contents of the public key to the SSH server's ~/.ssh/authorized_keys:

% SCP ~/.ssh/id_rsa.pub [email protected]:% ssh [email protected]% cat id_rsa.pub >> ~/.ssh/authorized_keys 

Or, equivalently,

% Cat ~/.ssh/id_rsa.pub | SSH [email protected] ' cat >> ~/.ssh/authorized_keys '

COMMENT: As the name implies, multiple public keys can be stored inside authorized_keys. So here with cat id_rsa.pub >> ~/.ssh/authorized_keys. However, if you do not have this file before, direct CP id_rsa.pub ~/.ssh/authorized_keys is also possible ...

If you don't have a. SSH directory, you can build it.

Note: OpenSSH provides a script Ssh-copy-id for uploading the public key. The function is to automate the above operations, such as executing on their own machines.

$ ssh-copy-id-i. ssh/id_rsa.pub [Email protected]

Man Ssh-copy-id full Grammar ssh-copy-id [-i public_key] [email protected]]machine

3. ~/.ssh Related file permissions

To prevent your private key from being acquired and/or tampered with by a malicious user, and your public key information being tampered with by a malicious user, SSH has strict requirements for ~/.SSH file permissions. If the permissions are not correct, public key validation does not work correctly.

Note: Exactly, this depends on the sshd configuration. However, for security reasons, it is necessary to configure file permissions as follows.

On both local and remote machines, verify that the ~/.SSH directory has only rwx permissions and that no one else has any permissions:

% pwd/home/xiaq% chmod. SSH% ls-dl. SSHdrwx------2 Xiaq xiaq 4096 June  6 11:29. ssh/
      

On the local machine, confirm that the private key only you have RW permissions, others do not have any permissions:

% pwd/home/xiaq/.ssh% chmod id_rsa% ls-l id_rsa-rw-------1 xiaq xiaq 1679 Apr  1 20:39 id_rsa

Similarly, verify that the ~/.ssh/authorized_keys on the remote machine only you have RW permissions:

% pwd/home/xiaq/.ssh-rw-------1 xiaq xiaq 394 2011-04-18 13:40 authorized_keys 

4. over~

If all goes well, you can now SSH directly without the password.

However, if you are generating an SSH key pair, the SSH login will ask you to enter passphrase in order to set the passphrase more securely. In order not to lose every time, you can use Ssh-agent and Ssh-add, in the X session or log in session ssh-agent as daemon boot, it stores the private key for public key authentication, other programs as Ssh-agent customers can implement automatic authentication in this session. Debian, ssh-agent on Fedora has been automatically activated.

To add a private key using Ssh-add:

Ssh-add Id_rsa_file

Without the file parameters, $HOME/.ssh/id_rsa is added, $HOME/.ssh/id_dsa and $HOME/.ssh/identity. Ssh-add You need to enter passphrase once. SSH logins in the same session are no longer required for input.

5. Attached: The principle of public key cryptography

Public Key Cryptography (Public-key cryptography), or asymmetric key encryption (asymmetric key cryptography) is a widely used cryptographic algorithm. Such algorithms use a pair of keys, the public key, and the private key. Where the public key can be freely distributed, only for encryption (encryption), the private key is only owned by one person, only for decryption . After any information is encrypted with the public key, the original information can be decrypted with the private key, and vice versa.

The key point of public key cryptography is that, on the one hand, public key cryptography is reversible, but the private key cannot be inferred with the public key. Obviously a public key is known to be able to work out the corresponding private key, but as long as the design of a good enough encryption algorithm (and the use of a sufficiently complex key pair) can not be decoded in an acceptable time.

RSA is a common public-key encryption algorithm. The way RSA works relies on the fact that deciphering RSA private keys requires factoring in some great integers, and there is no fast algorithm for factoring large integers. In other words, if someone finds such an algorithm, RSA encryption will fail all over the world.

RSA was first introduced in 1978 by Ron Rivest, Adi Shamir, Leonard Adleman, three people. Three people and therefore the work won the 2002 Turing Award. Zhou, Rivest is also one of the authors of the introduction of the algorithm, in chapter 31, the principle of the RSA system is briefly explained, the system is implemented in the Euler-fermat theorem of number theory.

COMMENT: But anyway, the factorization of the maximal integer is still possible. Rsa_laboratories has held several rewards to decipher RSA activities, more information can see Rsa_secret-key_challenge.

Despite the development of cryptography, RSA Security has become more and more threatened, but the future can be born in the polynomial time to decipher the RSA probability is very small. In other words, in addition to the military, financial and other high-risk targets, RSA is still applicable.

5.1. Further Reading

Public Key Cryptography

public-key_cryptography

[Go] SSH key authentication mechanism