Rotten mud: Learn ssh without a password to log on.

Rotten mud: Learn ssh without a password to log on.

This article is written by Xiuyi Lin FengProviding friendship sponsorship, first launched in the dark world

I have not written any articles in the last month, mainly new jobs. The new company's server OS uses ubuntu server, which is quite different from centos.

Just a few days ago, it was also necessary for work. I learned about the ssh key.

In our daily work, we usually use the ssh password to log on to the server. Another way is to log on to the server using an ssh key.

These two methods are both ssh security authentication methods. We divide them into password-based security verification and key-based security verification.

Note: The ssh certificate mentioned in some articles is actually an ssh key.

I. Introduction to two types of ssh security verification

Through the above introduction, we know that there are two security authentication methods for ssh. Next we will introduce the working principle one by one.

1.1Password-based security verification

In this way, you only need to know the account and password of the remote server to log on to the remote server. All transmitted data is encrypted, but it cannot be guaranteed that the server you are connecting to is the server you want to connect. Other servers may pretend to be real servers. That is to say, connections in this way may be attacked by man-in-the-middle.

1.2Key-based security verification

In this way, you need to rely on the key, that is, you must create a pair of key pairs (Public Key and private key) for yourself and put the public key on the server to be accessed.

Note: you cannot create a key on the server you want to access. Otherwise, you cannot connect to the server through the key, but it is normal to connect to other servers through the key.

If you want to connect to the ssh server, the ssh client will send a request to the ssh server, requesting your key for security verification. After receiving the request, the ssh server first checks the user's home directory to find the corresponding public key on the ssh server, and then compares it with the public key you sent. If the two public keys are consistent, the ssh server uses the public key to encrypt the challenge and send it to the ssh client. After receiving the question, the ssh client can use your private key to decrypt the question and send it to the ssh server.

For this security authentication method, you must know the encryption password of your key. Of course, your own key can also be unencrypted, and this non-encrypted key method is also used in normal work.

Through the comparison above, we can easily see that. Compared with password-based security verification, key-based security verification does not require password transmission over the network. In addition, we can also see that the "man-in-the-middle" attack method is also impossible (because he does not have your private key ).

2. Test ssh login without a password

In the first chapter, we will introduce two security authentication methods for ssh. To achieve ssh password-less login to the server, we need to use the ssh key verification method.

PS: the OS in this test is Ubuntu 14.04.02 64bit, as follows:

Uname-

Cat/etc/issue

2.1Create an ssh key

We can see from Chapter 1 that ssh key verification is required. We must create an ssh key pair.

You can create an ssh key in two ways. The first is to use the ssh-kengen command on linux OS, and the second is to use the ssh client tool on windows.

The following describes how to create a key.

2.1.1Use the ssh-kengen command to create a key

It is easy to use the ssh-kengen command to create an ssh key. As follows:

Ssh-keygen

We can see that the newly created key is stored in the/home/ilanni/. ssh directory, the private key file is id_rsa, and the public key file is id_rsa.pub.

In addition, note the following in the ssh-kengen command:

Enter passphrase (empty for no passphrase ):

Enter same passphrase again:

These two lines indicate setting the encryption password for the private key. Here we have not set the encryption password for the private key.

Now let's check the file attributes of the key, as shown below:

Ll. ssh/

We can see that:

The user permission for the. ssh directory is 700, the private key id_rsa is 600, and the Public Key id_rsa.pub is 644.

Note: The permission on the private key id_rsa and Public Key id_rsa.pub files is very important. If the permission is not set correctly, the system will prompt you to enter a password when logging in with the ssh key.

By default, ssh-keygen uses rsa as the key encryption type. You can check the public key file id_rsa.pub. As follows:

Cat. ssh/id_rsa.pub

If you want to use other types of encryption methods, you can use the-t parameter of ssh-keygen to specify the encryption type used. As follows:

Ssh-keygen-t dsa

Cat. ssh/id_dsa.pub

For more information about how to use the ssh-kengen command, see the HELP command of ssh-kengen. As follows:

Ssh-keygen -- help

Note: The Key is generated on host 192.168.1.8, as shown below:

Hostname

Ifconfig

2.1.2Create a secret using xshell

There are many tools for connecting to the ssh client in windows, but I still use the xshell tool most.

Next we will use xshell to create an ssh key.

Open xshell and click "Tools"> "create user key generation wizard", as shown below:

In the following interface, we can select the key type and key length as follows:

Generate a key pair as follows:

Enter the key name and the key's encrypted password as follows:

Note: The encrypted password of this key is the encrypted password of the ssh private key. We can leave it empty.

For the following test to distinguish the id_rsa key generated through ssh-kengen, the name of this key is id_rsa_1024.

Generate the public key as follows:

After the public key is generated, we need to save the public key to a file. As follows:

After the public key is saved, xshell jumps to the private key interface. As follows:

The private key is named id_rsa_1024 and the key length is 1024 bytes.

Now let's export the private key as follows:

In this way, we get an ssh key, as shown below:

2.2Upload an ssh Public Key

In section 2.1, we have created the ssh public key and private key. Now we start to upload the public key to the server to be accessed, that is, the ssh server.

When uploading a public key to an ssh server, we have to do the following:

1) determine the user to log on to the ssh server

2) modify the ssh configuration file sshd_config of the ssh server

3) Create the authorized_keys File

4) Upload the public key and redirect the content to the authorized_keys file.

Note: This section describes how to operate on host 192.168.1.7 as follows:

Hostname

Ifconfig

2.2.1Are you sure you want to log on to the ssh server?

Because we want to log on to the ssh server without a password, we must determine which user to use to log on to the ssh server.

Note: This user must exist on the ssh server and can log on to the ssh server.

Here we use the ilanni user to log on to the ssh server. As follows:

Whoami

Cat/etc/passwd | grep ilanni

2.2.2Modify ssh configurations

The ssh public key used for storing user login is configured through the sshd_config file, but this option is not enabled by default. We need to modify the sshd_config file to enable it, as shown below:

Sudo vi/etc/ssh/sshd_config

We only need to remove the # Before the # AuthorizedKeysFile % h/. ssh/authorized_keys row. As follows:

AuthorizedKeysFile stores the RSA/DSA public key that the user can log on. In this command, % h indicates the user's home directory. The public key is stored in the. ssh/authorized_keys file of the home directory.

Note: This step is not required, because you do not need to modify the ssh configuration file When configuring through the ssh-copy-id command.

2.2.3Create the authorized_keys File

In the previous chapter, we learned that the user's public key is stored in the authorized_keys file. Now let's create this file.

Create a. ssh directory and modify its user attributes as follows:

Mkdir. ssh

Chmod 700. ssh

After the. ssh directory is created, create the authorized_keys file. As follows:

Touch authorized_keys

2.2.4Redirects the public key content to the authorized_keys file.

In section 2.1, we introduced how to generate an ssh key. One is generated through the ssh-kengen command, and the other is generated through xshell.

Now we upload both public keys to the host 192.168.1.7 and redirect them to the authorized_keys file. As follows:

Copy the Public Key 192.168.1.8 to the host 192.168.1.7 as follows:

Scp. ssh/id_rsa.pub ilanni@192.168.1.7:/home/ilanni

Upload the Public Key generated by xshell to 192.168.1.7 as follows:

Now redirect both public keys to the authorized_keys file, as shown below:

Cat id_rsa.pub>. ssh/authorized_keys

Cat id_rsa_1024.pub>. ssh/authorized_keys

Cat. ssh/authorized_keys

2.3Connect to the ssh server

After the public key is uploaded, connect to the ssh server, that is, host 192.168.1.7.

The connection to 192.168.1.7 can also be divided into linux and windows. The following describes the connection methods.

2.3.1Connect to the ssh server on linux

We first connect 192.168.1.7 on the linux host 192.168.1.8, as shown below:

Ssh ilanni@192.168.1.7

Ifconfig eth0 | grep "inet addr" | awk '{print $2}' | cut-d:-f2

We can see that when 192.168.1.7 is connected to 192.168.1.8, the system does not prompt us to enter the password.

This allows you to log on to the ssh server without a password.

2.3.2Connect to the ssh server on windows

Now we switch to windows to connect 192.168.1.7. The ssh client tool is still xshell or the windows machine that generates the key. As follows:

Ssh ilanni@192.168.1.7

Note: For user identity authentication, We need to select the Public Key, that is, the Key authentication method, and the user Key is the id_rsa_1024 private Key when the previous Key is generated.

We can see that the windows client is connected to 192.168.1.7, and the system does not require us to enter the password, which enables ssh login without a password.

2.4Use ssh-copy-id to upload the ssh Public Key

I have read section 2.2 about uploading an ssh public key. Do you think it is very troublesome. In fact, ssh also provides another command ssh-copy-id, and the ssh-copy-id command can be used to complete the above steps at one time.

Note: The ssh-copy-id command only exists in linux. Currently, this command is not found in the ssh client tool of windows.

Use the ssh-copy-id command as follows:

Ifconfig eth0 | grep "inet addr" | awk '{print $2}' | cut-d:-f2

Ilanni@192.168.1.9 for ssh-copy-id-I. ssh/id_rsa.pub

Cat. ssh/id_rsa.pub

Log on to 192.168.1.9 to view the public key. As follows:

Ifconfig eth0 | grep "inet addr" | awk '{print $2}' | cut-d:-f2

Ll -- full-time. ssh/

Cat. ssh/authorized_keys

From the above two images, we can see that the ssh-copy-id command can be directly created under the Home Directory of the user corresponding to the ssh server. and create the authorized_keys file under the directory. The contents in the id_rsa.pub file of the public key will also be copied to the authorized_keys file.

Check whether the ssh configuration file is modified. As follows:

Cat/etc/ssh/sshd_config | grep authorized_keys

We can see that ssh-copy-id does not modify the ssh configuration.

Now let's test the connection to 192.168.1.9, as shown below:

Ifconfig eth0 | grep "inet addr" | awk '{print $2}' | cut-d:-f2

Ssh ilanni@192.168.1.9

We can see that ssh password-less login can be implemented even if there is an authorized_keys file without modifying the ssh configuration file.

For details about how to use ssh-copy-id, you can view its help commands. As follows:

Ssh-copy-id-h

The above is all about ssh password-less login.