Linux uses Ssh-keygen to implement SSH login without password

Source: Internet
Author: User
Tags scp command

First, the principle of introduction: 1, the basic principle of SSH public key authentication:

SSH is a protocol designed to provide security for Telnet sessions and other network services. By default, SSH links require password authentication and can be modified by adding system authentication (i.e., public-private key), and switching between systems can avoid password entry and SSH authentication.

The encryption and decryption of information using different keys, the key is called private key and public key, where public key is stored on the server to log on, and private key for a specific client hold.

When the client makes a request to establish a secure connection to the server, first sends its own public key, if the public key is allowed by the server, the server sends a public key encrypted random data to the client, this data only through the private Key decryption, the client sends the decrypted information back to the server, the server verifies that the client is trustworthy, and thus establishes a secure information channel.

In this way, the client does not need to send its own identity flag "private key" to achieve the purpose of verification, and private key can not be inferred from the public key backwards. This avoids the potential for password leaks caused by network eavesdropping. The client needs to be careful to save its own private key to avoid being stolen by others, and once that happens, the server will need to replace the trusted public key list.

2, to achieve the effect:

The network topology diagram is as follows: A total of 4 servers, the host name is flower1~4, to achieve Flower1 to another 3 server password-free login.

3. Basic steps:
    1. Set the host name.
    2. The public key pair is generated on the server flower1 using the Ssh-keygen command.
    3. Copy the public key on the flower1 to the FLOWER2~4 server, respectively.
    4. Modify permissions for the associated file.
    5. Verify password-free login.
Second, the actual operation process: 1, modify the host name on the 4 servers:

This takes host 1 as an example, hostname modified to flower1. So what are some of the ways to modify it? The following 4 ways can be done, but the effect is different.

1:  hostname flower1     -- effective immediately after operation (new session takes effect), but after the system restarts you will lose the modification 2:   echo flower1   >/proc/sys/kernel/hostname  -- takes effect immediately after operation (new session takes effect), but changes are lost after the system restarts  3: Sysctl kernel. hostname=flower1    -- effective immediately after operation (new session takes effect), but changes are lost after the system restarts 4: Modify/etc/sysconfig/ The hostname variable under the network-  requires a reboot to be active and permanently modified.

What is the difference between the above 4 ways?

Hostname is a kernel parameter under the Linux system, which is stored under/proc/sys/kernel/hostname, but its value is read from/etc/rc.d/rc.sysinit when Linux starts.

The value of hostname in/etc/rc.d/rc.sysinit is derived from hostname under/etc/sysconfig/network.

Therefore, if the server restarts, it is certain that the/etc/sysconfig/network will prevail. The remaining 3 methods are temporary modifications.

In addition, from the above logic, the value of hostname is not related to the configuration in/etc/hosts.

So, if you want the server's hostname to take effect immediately, and to ensure that the restart after the effective, how to do it?

Just modify the hostname in/etc/sysconfig/network and execute hostname flower1 on the command line.

[Email protected] ~]# vim/etc/sysconfig/hostnamehostname~]# reboot

Restart to see the effect. In the same order, modify the remaining 3 servers, respectively named Flower2\flower3\flower4

2. Generate the public key pair on the server flower1 using the Ssh-keygen command:

One thing to note here is that although Flower1 is also a server, it is configured as an SSH client.

Execute the following command in the user's home directory (the root user is used here, can be adjusted according to individual needs), press 3 times in a row to enter.

[Email protected] ~]#Ssh-keygen-T rsagenerating Public/private RSA key pair. Enterfile inch whichTo save the key (/root/.SSH/id_rsa): Enter Passphrase (empty forno passphrase): Enter same passphrase Again:your identification has been savedinch/root/.SSH/Id_rsa. Your public key has been savedinch/root/.SSH/id_rsa.pub.The Key fingerprint is:DF: in: f6:3e:bb:bb:6c: -: the: F4:BC: -: A1:DD: the: A9 [email protected]the key's Randomart image is:+--[RSA2048]----+|                 ||                 ||             || . .        ||         S o ooo| | . .          oo*o| | . ..            =.o| |              eo.= | | o*b|+-----------------+

Go to the ~/.ssh directory to view the resulting file: where Id_rsa is the private key and Id_rsa.pub is the public key.

3. Copy the public key on the Flower1 to the Flower2~4 related directory:

This is done by using the SCP command, first ensuring that the ~/.SSH directory is flower2~4.

Here take Flower2 as an example

[Email protected]. SSH SCP [email protected] 10.170. 125.14: ~/. SSH

And then to the Flower2 machine.

Touch ~/. ssh/chmod ~/. ssh/authorized_keys  (# Note: Must be ~/.  SSH/authorized_keys permissions to 600, the file is used to save the SSH client generated public key, you can modify the server's SSH service configuration file/etc/ssh/Cat  ~/. ssh/id_rsa.pub  >>/root/.  SSH/authorized_keys (append id_rsa.pub content to Authorized_keys, be careful not to use >, otherwise the original content will be emptied, so that others cannot log in with the original key)

4. Verification:

[Email protected]. SSH SSH 10.170. 125.14

The other servers can be modified in a similar way.

Linux uses Ssh-keygen to implement SSH login without password

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.