Putty Use Key Login OpenSSH configuration method (picture and text detailed) _linux

Source: Internet
Author: User
Tags auth chmod decrypt md5 session id ssh openssh server

When Windows manages Linux servers, it is common to use putty to login to SSH for remote administration. The default login authentication method for password authentication, although this method is simple, but each login to enter a long string of passwords, quite troublesome. Also, if the root is allowed to be logged on, it could be brute force, leading to serious consequences.
Therefore, it is usually recommended to use key login to replace the password method, that is, simple and reliable.

Why is it recommended to use a key to log in

Typically, Linux distributions now use OpenSSH instead of the plaintext transmission of Telnet, rsh, and other Terminal Services.
Take the red Flag DC Server 5.0 for example:

# rpm-qa|grep-e-W ' openssh '

and OpenSSH default is to support both password and key authentication methods. To change a description:

Why to use public key authentication
Typically, when you log on to a remote server via SSH, you use a password authentication and enter your username and password, both of which meet certain rules to log on. However, password authentication has the following disadvantages:

A the user cannot set a blank password (even if the system allows a blank password, it can be very dangerous)
b The password is easily peeping or guessed.
c If an account on the server is to be used by more than one person, the password must be known to all users, causing the password to be compromised, and everyone must be notified when the password is modified

The use of public key authentication can solve the above problems.

A) Public key authentication allows the use of a blank password, eliminating the need to enter a password every time the trouble
b Multiple users can log on to the same user on the system through their respective keys
c) Even if the corresponding user's password has been modified, it will not affect the landing
D If password authentication is disabled at the same time, the private key is guaranteed to be safe and will not be threatened by brute force.

Second, the use of putty to generate keys and landing
according to the principle of public key authentication (see the description below), both sides of the authentication can make the key pair, and as long as the certification party has the public key information of the authenticated party, it can match successfully.
Here, let's take a look at the Putty Landing Linux Server on Windows for example. Therefore, the key pair is made by putty.
Before continuing, please make sure you have downloaded the entire Putty package:
Official website: click
Latest Version: 0.63 or 1.0, I have a screenshot of the version is 0.55.

Click here to download the file

These include: PuTTY, Puttygen, PSCP, Plink, pagent and other tools.
1. Use Puttygen to make key
Start the Puttygen tool, select "SSH2 RSA" for a compatible OpenSSH key:

Click the Generate button and use the mouse to move through the key box to obtain enough random data for the generated key to use:

※the period, you will see the progress bar above has a hint "please generate some radomness by moving the mouse to over the blank area." , meaning that you use your mouse to randomly move around in a blank area. As the mouse moves through the blank area, the progress bar goes on. When you stop moving the mouse, the progress bar stops. So, let's move the mouse until the progress bar is full.
The completed window is as follows:



Key comment: is a comment that does not affect the validity of the key, but can be used as a reference for distinguishing between other keys;
Key passphrase and Confirm passphrase: used to protect the private key, if you do not enter the information, so anyone who has access to the private key, you can access the system without a password, very dangerous; Normally, I suggest you input, but here for the convenience of explanation, temporarily leave blank, Please see the instructions used later.

Then click "Save private key" to keep the private key.
If you do not enter key passphrase information, there is a warning:

Enter the file name of the private key:

※ Public key information can not be kept locally, puttygen can get it from the private key, and will not be used when verifying.

2, modify the OpenSSH configuration

Challengeresponseauthentication No #关闭挑战应答方式
Usepam No #不使用PAM认证

Then restart the sshd service for the reason: here

3. Copy Public key information
the "key" box at the top of the key Information window finally generates the public key information:

You need to copy this information to a specific file in your Linux server:~/.ssh/authorized_keys
where "~" represents the home directory of the corresponding user, taking root as an example.
If the. SSH directory does not exist, create it and write the public key information to the file:

# mkdir ~/.ssh
# chmod ~/.ssh
# VI ~/.ssh/authorized_keys
# chmod 644 ~/.ssh/authorized_keys

※ Please note: File and directory permissions, the user must be the user will be authenticated, and the permissions must be 0644, that is, to prevent others to write information on the file. (Otherwise, some conscientious man writes his public key here, he can come in without a password)
Because, usually umask is 0022 or 0002, please use chown and chmod to modify the corresponding permissions slightly.

4. Use putty to use key to login
With a few simple configurations for putty, you can use a key to log on to a Linux server.
Select Connection-ssh-auth and enter the path to the key in Private key file for authentication:

Then enter the login username in connection's "Auth-login username", such as root:

The Putty 0.60 version is within the Connection-data page.
Then click Open to:

If everything works, save the configuration in session.

Iii. using OpenSSH to generate keys
The key can be generated using either putty or OpenSSH.
1. Generate key under Linux


# ssh-keygen-t RSA
Generating public/private RSA key pair.
Enter file in which to save Key (/ROOT/.SSH/ID_RSA): <-Key Path
Enter passphrase (empty for no passphrase): <-key protection password
Enter same Passphrase again:
Your identification has been saved In/root/.ssh/id_rsa. <-private Key
Your public key has been saved in/root/.ssh/id_rsa.pub. <-Public Key
The key fingerprint is:
17:28:4c:c3:e4:18:d4:c2:31:bd:be:a7:a9:d4:a8:48 root@mail.linuxfly.org

2, the public key information written to the Authorized_keys file

# CD ~/.ssh
# cat Id_rsa.pub >> Authorized_keys

3, generate the Putty private key
Because of the SSH standard, there is no fixed key file format. And Putty uses the private key format and OpenSSH generated a little different, need to convert.
A) upload the Id_rsa to the Windows machine
b Use Puttygen "Load" to read Id_rsa files

It is also possible to compare the public key information in the graph with the id_rsa.pub, which should be consistent.
(c) Click "Save private key" to keep the private key.
D Putty Use the new private key to log on to the server.

Iv. Matters of note
1, check the OPENSSH server configuration

OpenSSH configuration is usually guaranteed:/etc/ssh/sshd_config
Permitrootlogin No # Prohibit root user from landing
Strictmodes Yes # Check that the user and permissions for the key are correct, the default open
Rsaauthentication Yes # Enable RSA authentication
Authorizedkeysfile. Ssh/authorized_keys # Verify the storage path of the public key
Pubkeyauthentication Yes # Enable public key authentication
Passwordauthentication No # prohibits password authentication, which is open by default.

A If the strictmodes is yes and the Authorized_keys permission is 664, the key is validated:

Bad ownership or modes for File/home/linuxing/.ssh/authorized_keys

b if the passwordauthentication set to No, then disable password authentication, with the start of public key authentication, is a more secure way.

2, the public key storage path
Putty as a client does not require the use of a public key, while the Linux server's public key is stored in: ~/.ssh/authorized_keys.
That is to say, if the landing user's home directory is different, the stored path is not the same.
For example, a user:

$ echo ~
The key is:

If you want to use the same private key, but different users log on to the server, please ensure that the public key information has been written to each user's authentication file. and must be careful to verify the file's users and permissions can not be mistaken oh.

3, Key passphrase password
If you are saving the private key, enter the key passphrase password. This information is used to encrypt the private key. This brings a benefit: If your private key is stolen, but if the thief does not know the password, he will not be able to use the private key to log on to the server. In simple terms, security is enhanced.
A when putty use this private key to log on to the server, there will be a hint:

You must enter the correct password to pass authentication.
※ This looks similar to landing openssh with a password authentication method. But actually it's totally different. The
The key passphrase password is used to manage the private key to prevent the private key from being embezzled, and the password used by the OpenSSH password authentication means the user's password on the Linux server side, that is, Pam information. In other words, even if you modify the PAM password, you can log on to the server as long as the key passphrase information is correct. (Because the private key that is extracted using it is unchanged)

b If every login to enter key passphrase, obviously not to the purpose of simplifying our landing steps. We can use pageant in cases where both safety and simplicity are ensured.
Pageant's role is very simple, that is, after we enter a private key password, the decrypted private key is saved in the pageant.
Once again using the Putty Landing, pageant will automatically decrypt the private key for authentication, so that we do not have to enter the password multiple times. and
When we exit the pageant, the private key is automatically deleted and the login needs to be checked again. Realize the purpose of "Once authentication, multiple use".
Opens pageant, which is automatically placed in the taskbar in the lower-right corner of Windows:
Right-click and select View keys:
In the pop-up box, select Add key and enter Putty's private key (. PPK) and prompt for key passphrase:


You can also select the "Add Key" menu directly.
At this time, the use of Putty again login server will not need key passphrase.

In fact, even if there is no key passphrase can be imported into the pageant, this time you can not in the Putty configuration file to specify the path of the private key. can also achieve a certain degree of security purposes.

C To modify key passphrase, you can use Puttygen to reload the private key, which will consult the key passphrase information:

After you enter the correct password, you can modify it and save the new private key.the presence or modification of a key passphrase does not change the public key information.

4, Save the Putty configuration information
The configuration information for Putty is stored in the Windows registry and is exported using the following command:

regedit/e PuTTY.config.reg "Hkey_current_user\software\simontatham\putty"

5. Use DSA key
under the default configuration, OpenSSH supports both RSA and DSA two encoded keys. Just select "DSA" when generating the key. For example:

# Ssh-keygen-t DSA

There is no difference between use and RSA, and the public key information is copied to the validation file for use.

The principle of public-key authentication
the so-called public key authentication, in effect, is to use a pair of encrypted strings, one called the public key, and anyone can see its contents for encryption, and another called The secret key (private key), which only the owner can see for decryption. Ciphertext encrypted with public key can be easily decrypted using a secret key, but it is difficult to guess the key based on the public key.
SSH's public-key authentication is the use of this feature. Both the server and the client have their own public keys and keys. To illustrate the convenience, these symbols are used below.

AC Client Public key
Bc Client Key
As Server public key
Bs Server Key

Prior to authentication, the client needs to log on to the server in a secure way with the public key Ac.

The certification process is divided into two steps:

1. Session key generation
The client requests to connect to the server and the server sends as to the client.
The server generates the session ID, which is set to P, and is sent to the client.
The client generates the session key, which is set to Q and calculates r = P XOR Q.
The client encrypts r with as as the result is sent to the server.
The server decrypts with Bs to obtain R.
The server carries out the operation of R XOR P and obtains the Q.
The session key Q is known to the server and the client, and subsequent transmissions will be encrypted by Q.
2, Certification
The server generates random number x and generates the result S (x) with AC encryption and sends it to the client
The client uses Bc to decrypt S (x) to get X
Client computes Q + x MD5 value n (q+x), Q for the session key obtained in the previous step
Server calculates q + x MD5 value m (q+x)
The client sends N (Q+X) to the server
The server compares M (q+x) and N (q+x), the same authentication succeeds

Vi. reference materials
a very detailed description of the use of putty: HTTP://DOCS.GOOGLE.COM/VIEW?DOCID=AJBGZ6FP3PJH_2DWWWWT
The source address is slow to open, I saved a copy:

Putty Chinese Tutorial PDF edition

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.