SSH key pair-based Automatic Logon

Source: Internet
Author: User
Tags ssh server

Because I often deal with Linux servers at work, I used an SSH key pair-based automatic login to avoid Frequent password input during switching between servers. The following describes the principle of RSA/DSA keys.

 

Let's start with a hypothetical scenario, assuming that we want to use RSA Authentication to allow a local computer (called localbox) to open a remote shell on remotebox, remotebox is a machine of our ISP. At this moment, when we try to connect to remotebox with an SSH client program, we will get the following prompt:

 

$ssh –p2188 zhoubo@remotebox$zhoubo@remotebox's password:

 

What we see here is:Default SSH authentication method. In other words, it requires us to enter the password of the zhoubo account on remotebox.

 

If we enter our password on remotebox, SSH will use the Secure Password Authentication Protocol to send our password to remotebox for verification. However, unlike telnet, our password is encrypted here, so it will not be intercepted by people who peek at our data connection. Once remotebox authenticates the provided password against its password database, if it succeeds, we will be allowed to log on, and a remotebox shell will prompt you to welcome us.

 

Although the default SSH authentication method is quite secure, RSA and DSA authentication creates some new potential opportunities for us. Unlike SSH Secure Password Authentication, RSA Authentication requires some initial configurations. We only need to perform these initial configuration steps once. After that, the RSA Authentication between localbox and remotebox is effortless.

 

To set up RSA Authentication, we must first generate a pair of keys, a private key and a public key. These two keys have some very interesting properties.A public key is used to encrypt a message. Only people with a private key can decrypt the message.. Public Keys can only be used for encryption, while private keys can only be used to decrypt messages encoded by matching public keys. RSA (and DSA) authentication protocols use these special properties of key pairs for security authentication, andYou do not need to transmit any confidential information online..

 

To apply RSA or DSA authentication, we need to perform one-time configuration step. We copy the public key to remotebox. There is one reason why a public key is called "Public Key. Because it can only be used to encrypt those messages to us, we don't need to worry too much about it falling into the hands of others. Once our public key has been copied to remotebox and the sshd service of remotebox can locate it, it is placed in a specialized file (~ /. Ssh/authorized_keys), We are ready to log on to the remotebox using RSA Authentication.

When you use RSA to log on, you only need to type SSH drobbins @ remotebox in the localbox console, as we often do. This time, ssh tells remotebox's sshd that it wants to use the RSA Authentication Protocol. What happened next is very interesting.

The sshd of remotebox generates a random number and encrypts the random number with the public key we copied earlier. Then, sshd sends the encrypted random number back to the SSH running on localbox. Next, it's our turn to use a dedicated key for SSH to decrypt the random number, and then send it back to remotebox. In fact, it means: "Look, I do have a matched private key; I can successfully decrypt your message!" Finally, sshd concluded that, since we have a matched private key, we should allow us to log on.Therefore, the fact that we have matched private keys authorizes us to access remotebox.

 

1. Configure localbox (SSH client)Log on to localbox with your user account and run the command ssh-keygen-t rsa:

$ ssh-keygen -t rsa    Generating public/private rsa key pair.    Enter file in which to save the key (/home/myid/.ssh/id_rsa):    Created directory '/home/myid/.ssh'.    Enter passphrase (empty for no passphrase):    Enter same passphrase again:    Your identification has been saved in /home/zhoubo/.ssh/id_rsa.    Your public key has been saved in /home/zhoubo/.ssh/id_rsa.pub.    The key fingerprint is:        f1:e8:ae:a7:b3:f6:64:3f:30:34:1f:c5:07:ce:0f:bc myid@localbox

Passphrase is empty for automatic logon.Note: Because passphrase is empty, the generated private key must be absolutely forbidden from unauthorized access!Copy the generated id_rsa.pub file to the/home/zhoubo/. Ssh/directory of remotebox.

2. Configure remotebox (SSH server)Log on with your zhoubo account. Run the following command:

$cd .ssh$umask 077$cat id_rsa.pub >> authorized_keys

 

 

3. Test automatic SSH logon.Log on to localbox with your user account and run the command SSH zhoubo @ remotebox. You should be able to log on to remotebox without entering the zhoubo @ remotebox password.

 

4. SummaryThe following are the working principle and configuration steps:

  1. Locala wants to automatically log on to remoteb
  2. Generate a public key and private key pair on the locala Machine
  3. Place the public key on the remoteb server that you want to automatically log on,Rename it authorized_keys in the. Ssh directory and set the permission to 600.To confirm that the sshd service of remoteb is running normally.
  4. Log on to remoteb on locala: SSH-p2188 username @ remoteb

 

You can also configure the config file in the. Ssh directory of the local server. The SSH client will automatically load the configuration file, or you can manually specify the location at any location.
The configuration content is as follows:

Host 192.168.0. * # iphost 11.151.59. * user test # Default User Name port 2188 # default port identityfile ~ /. Ssh/test. ID # the private key file host 192.168.1. * # The ipuser zhoubo that allows automatic login # The Default User Name port 2188 # The default port identityfile ~ /. Ssh/zhoubo. ID # private key file for automatic login verification

 

Note: ensure that the private key file and ~ The permission for the/. Ssh/config file is 600.

 

 

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.