Linux remote logins and password-free logon methods

I. Remote Login method

SSH is a secure channel protocol that is used primarily for remote logins. In the RHEL 5 system, the OpenSSH server is provided by software packages such as OpenSSH, Openssh-server, which are installed by default, and the sshd is added as a standard system service. Use the following methods:

The code is as follows:

$ SSH Host

$ ssh Username@host

$ ssh-p 222 Username@host

-P: Specifies the access port; If this argument is omitted, the default port of SSH service is accessed by default 22;

If you are logged on to the other host for the first time, a prompt appears:

The code is as follows:

The authenticity of host ' host (192.168.0.21) ' can ' t be established.

RSA key fingerprint is 98:2e:d7:e0:de:9f:ac:67:28:c2:42:2d:37:16:58:4d.

Are you sure your want to continue connecting (yes/no)?

This passage is to say, cannot confirm host hosts authenticity, only know its public key fingerprint, ask you still want to continue to connect?

After you enter Yes, a prompt appears indicating that host hosts have been recognized.

The code is as follows:

Warning:permanently added ' host, 192.168.0.21 ' (RSA) to the list of known hosts.

Then ask for a password:

The code is as follows:

$ Password: (enter Password)

At this point, if the secret is correct, you can log in.

Two, password-free login method

In the trust environment, if each remote login, you have to enter a password, feel too wasted time, especially the password is very complex, maintenance of the server more than the case.

So there is a normal need: you do not have to enter a password to achieve remote logins.

The implementation steps are as follows:

1, local generation of a pair of secret key files (public and private key);

The code is as follows:

$ ssh-keygen

# The above command is equivalent to ssh-keygen-t RSA

#-t: Specifies the type of key, which defaults to the RSA type of SSH-2;

After you run the above command, a series of prompts will appear, and you can return all the way. Specifically, one of the issues is whether you want to set a password for the private key (passphrase), and if you are concerned about the security of the private key, you can set one. After the run is completed, the ~/.ssh/directory will be reborn into two files: Id_rsa.pub and Id_rsa. The former public key, the latter is the private key.

2, the public key will be transmitted to the remote host hosts;

The code is as follows:

$ Ssh-copy-id User@host

After two steps, you can achieve a remote login without a password (the host saves the user's public key in the ~/.ssh/authorized_keys file).

Third, frequently asked questions:

1, to generate the key and upload to the remote host, still unable to implement password-free login?

Open the remote host's/etc/ssh/sshd_config this file, and uncomment the following lines.

The code is as follows:

#RSAAuthentication =yes

#PubkeyAuthentication =yes

#AuthorizedKeysFile =.ssh/authorized_keys

Then, restart the SSH service for the remote host.

The code is as follows:

#ubuntu system

$ Service SSH Restart

#debian system

$/etc/init.d/ssh Restart

2. When executing the Ssh-copy-id command, the SSH service port of the remote server is not 22, as follows:

The code is as follows:

$ Ssh-copy-id Nameb@machineb

Ssh:connect to host Machineb Port 22:connection refused

The following command is used:

The code is as follows:

$ ssh-copy-id "-p 22000 Nameb@machineb"

Iv. Supplementary content:

The code is as follows:

$ ssh-copy-id-i ~/.ssh/id_rsa.pub root@192.168.0.2

$ ssh-copy-id-u eucalyptus-i/home/eucalyptus/.ssh/id_rsa.pub eucalyptus@remote_host

#-u: Set no password login to Eucalyptus user

#-I: When no value is passed or the ~/.ssh/identity.pub file is inaccessible (does not exist), Ssh-copy-id will display the following error

/usr/bin/ssh-copy-id:error:no identities found

SSH provides two types of logon authentication:

1, password verification: the server in the Local System user login name, password to verify.

2, secret key to verify: the need to provide a matching secret key information in order to pass the verification. You typically create a pair of secret key files (public and private) in the client, and then place the public key file in the server at the specified location.

Note: When both password authentication and private key authentication are enabled, the server will use secret key authentication as a priority.

V. Configuration file for SSH service:

The configuration file for the SSHD service defaults to/etc/ssh/sshd_config, adjusting the related configuration items to further improve the security of the sshd telnet.

The contents of a configuration file can be divided into the following three sections:

Copy Code

The code is as follows:

#SSH服务器监听的选项

#监听的端口

Port 22

#使用SSH V2 Protocol

Protocol 2

#监听的地址为所有地址

Listenadderss 0.0.0.0

#//Disable DNS reverse resolution

Usedns No

#用户登录控制选项

#是否允许root用户登录

Permitrootlogin No

#是否允许空密码用户登录

Permitemptypasswords No

#登录验证时间 (2 mins)

Logingracetime 2m

#最大重试次数

Maxauthtries 6

#只允许user用户登录, as opposed to the denyusers option

Allowusers User

#登录验证方式

#启用密码验证

Passwordauthentication Yes

#启用秘钥验证

Pubkeyauthentication Yes

#指定公钥数据库文件

Authorsizedkeysfile. Ssh/authorized_keys

View SSH Service Status command:/ETC/INIT.D/SSHD status

Reboot SSH Service command:/etc/init.d/sshd restart

To view the version number of the SSH Software command: $ ssh-v

OPENSSH_3.9P1, OpenSSL 0.9.7a Feb 19 2003 # indicates that the system is in use OpenSSH

Ssh:ssh Secure Shell 3.2.9.1 (non-commercial version) on I686-pc-linux-gnu # indicates that the system is in use SSH2

When a remote host's public key is accepted, it is saved in the file $HOME/.ssh/known_hosts. The next time you connect to this host, the system will recognize that its public key has been saved locally, skipping the warning section and prompting for a password.

Each SSH user has his or her own known_hosts file, and the system also has one such file, usually/etc/ssh/ssh_known_hosts, that holds the public key of a remote host that can be trusted to all users.