Linux password-Free login detailed

Source: Internet
Author: User

In order to better understand the principle of SSH password-free login, we first say that SSH security authentication, SSH using "asymmetric Key System", known as public key private key encryption system, its security verification is divided into two levels.

1. Password-based security verification

This method uses the username password to log on online, which is generally the way we use it. The whole process is roughly as follows:

(1) The client initiates the connection request.

(2) The remote host receives the user's login request and sends its own public key to the client.

(3) The client receives the public key of the remote host, encrypts the login password with the public key of the remote host, and sends the encrypted login password together with its own public key to the remote host.

(4) The remote host receives the client's public key and encrypted login password, with its own private key to decrypt the login password received, if the password is correct to allow login, so that the two sides have each other's public key, start two-way encryption and decryption.

PS: When another spoofed server in the network Impersonate a remote host, the client's connection request is intercepted by Server B, and Server B sends its own public key to the client, the client encrypts the password and sends it to the spoofed server, and the spoofed server can take its private key to get the password and do whatever it wants. Therefore, when you first link to the remote host, in step (3) of the above step, you will be prompted the current remote host "public key fingerprint" to confirm whether the remote host is a genuine remote host, if you choose to continue to enter a password to log in, when the remote host accepts, the server's public key will be saved to ~/. The ssh/known_hosts file.

2. Secret key-based security verification

In this way you need to create a pair of keys for yourself in the current user's home directory and place the public key on the server that needs to be logged in. When you want to connect to the server, the client requests the server to use the key for secure authentication. After the server receives the request, it looks for your public key in the home directory of the user you requested to log on to, and then compares it with the public key that you sent over. If the two keys are the same, the server encrypts the "challenge" with the public key and sends it to the client. After the client receives a "challenge", it decrypts it with its own private key and sends it to the server. The second level does not require a password to be sent over the network compared to the first level.

PS: Simply put, the client's public key is placed on the server, then the client can password-free login to the server, then the client's public key should be placed on the server where? The default is the. SSH directory under the home directory of the user you want to log in to the Authorized_keys file (ie: ~/.ssh/authorized_keys).

3. Usage Scenarios

Rsync Automatic backup password-free login, the cluster environment needs to communicate with each other in the host, such as: Hadoop, the current small series only involves these two places, in the future there are other places to use to add ~

3. Related Configuration Items

The configuration file for the SSHD service is located in/etc/ssh/sshd_config

Configuration Item One: pubkeyauthentication whether to allow login with key authentication

Configuration item Two: Authorizedkeysfile allows the public key of the login host to store the file, default to the user's home directory. Ssh/authorized_keys

4. Permissions issues

. ssh folder chmod. ssh

Authorized_keys file 644 chmod 644. Ssh/authorized_keys

5. Configuration implementation


SSH login with no password to use the public and private keys. Linux can be used to generate a public/private key pair with Ssh-keygen, below I take CentOS as an example.

There is machine A (192.168.1.155), B (192.168.1.181). Now want to a through SSH password-free login to B.

1. Generate a public/private key pair under the a machine.

[[email protected] ~]$ ssh-keygen-t rsa-p '


-P for the password,-p ' means the empty password, you can not use the-p parameter, so that three cars to enter, with-P on a return.
It generates the. SSH directory under/HOME/CHENLB, with Id_rsa and id_rsa.pub under SSH.

2. Copy the id_rsa.pub under the A machine to B machine, in the. ssh/authorized_keys file of B machine, I use SCP to copy.

[Email protected] ~]$ SCP. ssh/id_rsa.pub [Email protected]:/home/chenlb/id_rsa.pub
[Email protected] ' s Password:

Id_rsa.pub 100% 223 0.2kb/s 00:00


Since there is no password-free login, enter the password.

The 3.B machine adds the id_rsa.pub copied from a machine to the. ssh/authorzied_keys file.

[email protected] ~]$ cat id_rsa.pub >>. Ssh/authorized_keys
[Email protected] ~]$ chmod Ssh/authorized_keys


Authorized_keys's permission.

4.A Machine login B machine.

[[email protected] ~]$ ssh 192.168.1.181
The authenticity of host'192.168.1.181 (192.168.1.181)'Can't be established.
RSA Key Fingerprint is00:a6:a8:87:eb:c7:40:10:39:cc:a0:eb:50:d9:6a:5b.
Is you sure-want toContinueConnecting (yes/no)? Yes
Warning:permanently added'192.168.1.181'(RSA) to the list of known hosts.
Last Login:thu Jul 3 09:53:18 2008 fromChenlb
[Email protected] ~]$

The first time you log in is when you want to enter Yes.

now a machine can be no password login B machine.

Summary: Log on the machine can have a private key, the machine to be logged on to have the public key of the machine. This public/private key pair is typically generated on the private key host. Above is the RSA algorithm's public/private key pair, of course, you can also use DSA (the corresponding file is id_dsa,id_dsa.pub)

want to let A, B machine without password mutual login, that machine is configured in the same manner as above.

This article is from the "Dream to Reality" blog, please be sure to keep this source http://lookingdream.blog.51cto.com/5177800/1826642

Linux password-Free login detailed

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.