Generally, when you log on to the remote server through ssh, use password authentication and enter the user name and password respectively. The two can log on only when they meet certain rules. However, password authentication has the following Disadvantages:
The user cannot set a blank password (even if the system allows a blank password, it is very dangerous)
Passwords are easy to peek at or guess.
If an account on the server is to be used by multiple users, all users must know the password, which leads to easy password leakage and must be notified to all users when changing the password.
Public Key Authentication can solve the above problems.
Public Key Authentication allows empty passwords, saving the trouble of entering a password for each login
Multiple users can log on to the same user on the system using their respective keys.
Principles of Public Key Authentication
The so-called public key Authentication actually uses a pair of encryption strings. One is called a public key, which can be seen by anyone for encryption. The other is called a private key ), only the owner can see it for decryption. Ciphertext encrypted by the public key can be easily decrypted using the key, but it is very difficult to guess the key based on the public key.
Ssh Public Key Authentication uses this feature. Both the server and client have their own public keys and keys. These symbols are used for convenience.
Ac client Public Key
Bc client key
As server Public Key
Bs server key
Before authentication, the client needs to log on to the server with the public key Ac in some way.
The authentication process is divided into two steps.
Session key Generation
The client requests to connect to the server, and the server sends the As to the client.
The session ID (session id) generated by the server is set to p and sent to the client.
The client generates a session key, sets it to q, and calculates r = p xor q.
The client encrypts r with the As and sends the result to the server.
The server uses Bs for decryption to obtain the r.
The server performs r xor p operations to obtain q.
At this point, both the server and the client know the session key q, and all future transmissions will be encrypted by q.
Authentication
The server generates random number x and uses Ac encryption to generate the result S (x), which is sent to the client.
The client uses Bc to decrypt S (x) to obtain
The client calculates the md5 value of q + x n (q + x), and q is the session key obtained in the previous step.
The server calculates the md5 value of q + x m (q + x)
The client sends n (q + x) to the server.
The server compares m (q + x) and n (q + x). If the two are the same, the authentication succeeds.