SSH is a secure channel protocol used for remote logon. In the RHEL5 system, OpenSSH servers include openssh and openssh-server.
SSH is a secure channel protocol used for remote logon. In RHEL 5 systems, the OpenSSH server is provided by software packages such as openssh and openssh-server (installed by default) and added as a standard system service. The usage is as follows:
$ Ssh host
$ Ssh username @ host
$ Ssh-p 222 username @ host
-P: specifies the access port. If this parameter is omitted, the default access port 22 of the SSH service is used by default;
If you log on to the host for the first time, the system displays the following prompt:
The authenticity of host 'host (192.168.0.21) 'can't be established.
RSA key fingerprint is 98: 2e: d7: e0: de: 9f: ac: 67: 28: c2: 42: 2d: 37: 16: 58: 4d.
Are you sure you want to continue connecting (yes/no )?
In this section, you cannot confirm the authenticity of the host. you only know its public key fingerprint. do you want to continue the connection?
After you enter yes, a message is displayed, indicating that the host has been recognized.
Warning: Permanently added 'host,192.168.0.21'(RSA) to the list of known hosts.
Then, enter the secret:
$ Password: (enter password)
In this case, if the secret is correct, you can log on.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
In a trusted environment, it is a waste of time to enter a password every time you log on remotely, especially when the password is complex and the number of servers maintained is large.
As a result, you can log on remotely without entering a password.
The implementation steps are as follows:
1. local generationA pair of key files (public and private keys);
$ Ssh-keygen
# The preceding commands are equivalentSsh-keygen-t rsa
#-T: specifies the key type, which is the rsa type of the SSH-2 by default;
After running the above command, the system will display a series of prompts, you can press enter all the way.Note, One of the problems is,Do you want to set a passphrase password for the private key)If you are worried about the security of the private key, you can set one. After running ~ Two new files are generated under the/. ssh/directory:Id_rsa.pubAndId_rsa. The former public key, and the latter is the private key.
2. send the public key to the remote host;
$ Ssh-copy-id user @ host
After the above two steps, you can achieve remote login without a password (the remote host saves the user's public key in ~ /. Ssh/authorized_keys file ).
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~
FAQs:
1. after the key is generated and uploaded to the remote host, it still cannot be logged on without a password?
Open the/etc/ssh/sshd_config file of the remote host and uncomment the following lines.
# RSAAuthentication = yes
# PubkeyAuthentication = yes
# AuthorizedKeysFile =. ssh/authorized_keys
Then, restart the ssh service of the remote host.
# Ubuntu system
$ Service ssh restart
# Debian system
$/Etc/init. d/ssh restart
2. when executing the ssh-copy-id command, the SSH service port of the remote server is not 22, as shown below:
$ Ssh-copy-id nameB @ machineB
Ssh: connect to host machineB port 22: Connection refused
Run the following command:
$Ssh-copy-id "-p 22000 nameB @ machineB"
3. the WARNING "WARNING: remote host identification has changed" appears when you connect to the remote host through ssh.
Cause Analysis: Key failure may occur when the system is reinstalled or the account information is modified.
Solution: delete invalid keys and generate them again.
Vi ~ /. Ssh/known_hosts
Find the same key as the remote host ip address and delete it.
Additional content:
$Ssh-copy-id-I ~ /. Ssh/id_rsa.pub root@192.168.0.2
$Ssh-copy-id-u eucalyptus-I/Home/Eucalyptus/. ssh/id_rsa.pubEucalyptus @ remote_host
#-U: set password-free login for eucalyptus users
#-I: When no value is transferred or ~ The/. ssh/identity. pub file is inaccessible (does not exist), and the following error is displayed for ssh-copy-id:
/Usr/bin/ssh-copy-id: ERROR: No identities found
SSH provides two logon verification methods:
1. Password verification: Use the login name and password of the local system user on the server for verification.
2. verify the key pair: you must provide the matching key information to pass the verification. Generally, create a pair of key files (public and private keys) in the client, and then place the public key files in the specified location on the server.
Note: When both password verification and private key verification are enabled, the server will give priority to key verification.
SSH service configuration file:
The sshd service configuration file is/Etc/ssh/sshd_configCorrectly adjust related configuration items to further improve the security of sshd remote logon.
The configuration file content can be divided into the following three parts:
# SSH server listening option # listening Port 22 # using SSH V2 Protocol 2 # listening address for all addresses ListenAdderss 0.0.0.0 # // disabling reverse DNS resolution UseDNS no # User Login control option # Allow root users to log on to PermitRootLogin no # Allow empty password users to log on to PermitEmptyPasswords no # logon verification time (2 minutes) loginGraceTime 2 m # maximum number of retries MaxAuthTries 6 # Only user logon is allowed, opposite to the DenyUsers option, AllowUsers user # logon authentication mode # enable PasswordAuthentication yes # enable PubkeyAuthentication yes # specify the public key database file AuthorsizedKeysFile. ssh/authorized_keys
Command for viewing SSH service status:/Etc/init. d/sshd status
Restart the SSH service command:/Etc/init. d/sshd restart
Run the following command to view the ssh software version:$ Ssh-V
OpenSSH_3.9p1, OpenSSL 0.9.7a Feb 19 2003 # indicates that the system is using OpenSSH
Ssh: SSH Secure Shell 3.2.9.1 (non-essential cial version) on i686-pc-linux-gnu # indicates that the system is using SSH2
When the public key of the remote host is accepted, it will be saved in the file $ HOME/. ssh/known_hosts. Next time you connect to the host, the system will recognize that its public key has been saved locally, skip the warning section and prompt you to enter the password.
Each SSH user has its own known_hosts file, and the system also has such a file, usually/etc/ssh/ssh_known_hosts, save the public keys of remote hosts trusted to all users.