OpenSSH's RSA/DSA key authentication system

OpenSSH's RSA/DSA key authentication system, which can replace the standard Secure Password authentication system used by the OpenSSH default.

The OpenSSH RSA and DSA authentication protocol is based on a pair of specially generated keys, called private keys and public keys, respectively. The advantage of using these key-based authentication systems is that in many cases it is possible to establish a secure connection without having to enter the password manually. Although the key-based authentication protocol is fairly secure, when users are not fully aware of the security implications of these simplified operations, there is a problem when using some simplified operations for convenience.

The public key is used to encrypt the message, and only the person who owns the private key can decrypt the message. The public key can only be used for encryption, and the private key can only be used to decrypt messages encoded by a matching public key. The RSA (and DSA) authentication protocol uses these special properties of key pairs for secure authentication and does not require any confidential information to be transmitted online. Version 1 of the SSH protocol uses the RSA key, while the DSA key is used for protocol level 2, which is the latest version of the SSH protocol

Ssh-keygen prompts for a passphrase ( entered is not a password for the system account on the remote server ), and after entering the passphrase, Ssh-keygen encrypts the private key with this passphrase so that the private key will become useless to those who do not know the passphrase.

To create a public-private key pair

[[Email protected] ~]# Hostnamerhce7.example.com[[email protected]~]# Ssh-keygen-T dsagenerating Public/PrivateDSA key pair. Enter fileinchWhich to save the key (/root/.ssh/ID_DSA): Created directory'/root/.ssh'. Enter Passphrase (Empty forno passphrase): Root1enter same passphrase Again:root1your identification has been savedinch/root/.ssh/ID_DSA. Your PublicKey has been savedinch/root/.ssh/id_dsa.pub.The Key Fingerprint is: the: fb:8f:1c:4f: the:Bayi: EC: the: the: aa: the: -: the: fe:0b [email protected]the key's Randomart image is:+--[DSA1024x768]----+|   .        ..  || O. ..     O. || O.  . O + | | . . .  . . O | | .    + S O.  ||   E o ....   ||    O.    . . .  ||      .            o = | | +.O |+-----------------+

Copy the public key to the correct location on the remote system

[Email protected] ~]# Ssh-copy-id [email protected]192.168.56.123The authenticity of host'192.168.56.123 (192.168.56.123)'Aa't be established.RSA Key Fingerprint isDA:FE:D3: at: +: eb:d1: on: -: eb:2b: -: 8a:2f:e8: the. is you sure-want toContinueConnecting (yes/no)?Yes/usr/bin/ssh-copy-id:info:attempting to loginchWith theNewKey (s), to filter outAny that is already installed/usr/bin/ssh-copy-id:info:1Key (s) remain to be installed--ifYou is prompted now it isTo install theNewKeys[email protected]192.168.56.123's password:abcd1234Number of key (s) added:1 NowTryLogging into the machine, with:"ssh ' [email protected] '"And check to make sure that is only the key (s) wanted were added.

Log on to the remote server with a key

In this process, the following steps are included:

1. The local server wants to log on to the remote server using the DSA authentication protocol
2. The sshd of the remote server generates a random number and is encrypted with the public key copied by the local server and sent to the local server
3. The local server decrypts the messages sent by the remote server using the local private key, decrypts the message and sends the message to the remote server
4. The remote server's sshd confirms the information, the information is verified correctly, the connection logon request through the local server

192.168. 56.123  for'/root/.ssh/id_dsa'root1: £ ºfrom192.168. 56.1  ~]# hostnamemytest.jy.com

OpenSSH's RSA/DSA key authentication system