SSH password-free logon details

SSH password-free logon details

To better understand SSH password-free login principles, let's talk about SSH security verification. SSH uses an asymmetric key system, which is a public key and private key encryption system that is familiar, security Verification is classified into two levels.

1. Password-based security verification

In this way, we use the user name and password for online login. Generally, we use this method. The process is roughly as follows:

(1) The client initiates a connection request.

(2) the remote host receives the user's login request and sends its public key to the client.

(3) The client receives the public key of the remote host, uses the public key of the remote host to encrypt the login password, and then sends the encrypted login password along with its own public key to the remote host.

(4) the remote host receives the client's public key and encrypted login password, and decrypts the login password with its own private key. If the password is correct, you can log on, by now, both parties have their own public keys and begin two-way encryption and decryption.

PS: when another fake server impersonates a remote host in the network, the client connection request is intercepted by server B, and server B sends its own public key to the client, the client will encrypt the password and send it to the fake server. The fake server will get the password with its own private key, and then do whatever it wants. Therefore, when you connect to the remote host for the first time, in step (3) above, you will be prompted for the "Public Key fingerprint" of the current remote host ", to check whether the remote host is a genuine remote host. If you choose to continue, you can enter a password to log on. When the remote host accepts the password, the public key of the server will be saved ~ /. Ssh/known_hosts file.

2. Key-based security verification

In this way, you need to create a pair of keys for yourself in the current user's home directory and place the keys on the server you want to log on. When you want to connect to the server, the client will request the server to use the key for security verification. After receiving the request, the server finds your public key in the home directory of the user you requested to log on to the server and compares it with the public key you sent. If the two keys are the same, the server uses the public key to encrypt the question and send it to the client. After receiving the question, the client decrypts it with its own private key and then sends it to the server. Compared with the first level, the second level does not need to transmit passwords over the network.

PS: Simply put, the public key of the client is put on the server, so the client can log on to the server without a password. Where should the public key of the client be put on the server? By default, the authorized_keys file under the. ssh directory of the user you want to log on to (that is :~ /. Ssh/authorized_keys ).

3. Use Cases

Rsync automatically backs up data without a password. In the cluster environment, hosts need to communicate with each other, for example, Hadoop. Currently, only these two regions are involved. You can use them elsewhere ~

3. Related configuration items

The SSHD service configuration file is located in/etc/ssh/sshd_config

Configuration Item 1: whether PubkeyAuthentication allows logon using Key Authentication

Configuration item 2: AuthorizedKeysFile allows you to log on to the host's public key to store files. By default, it is. ssh/authorized_keys in the user's home directory.

4. Permission issues

. Ssh folder 700 chmod 700. ssh

Authorized_keys file 644 chmod 644. ssh/authorized_keys

5. Configuration implementation

Server: 192.168.0.10 User: server

Client: 192.168.0.11 User: client

# Client Configuration

# Use a client user to log on to and access the Home Directory

# Cd/home/client

# Create an authentication public key and Private Key

# Ssh-keygen-t rsa (enter the password and press Enter)

# The. ssh folder will be created in the Home Directory, which contains two files: id_rsa (Private Key) and id_rsa.pub (Public Key ).

# Upload the public key file to the Home Directory of the server on the server

# Scp ~ /. Ssh/id_rsa.pub server@192.168.0.10 :~

 

# Server Configuration

# Log on to the home directory with the server user

# Cd/home/server

# Create a. ssh folder

# Mkdir. ssh;

# Modifying folder Permissions

# Chmod 700. ssh

# Add the content in the id_rsa.pub file passed by the client to authorized_keys.

# Cat id_rsa.pub>. ssh/authorized_keys

# Chmod 644. ssh/authorized_keys

After that, you do not need to enter the password when logging on to the server user from the client user. However, during the first connection, you will still be prompted to check the Public Key fingerprint of the remote host and store it in ~ /. Ssh/known_hosts file.

How to Improve the SSH login authentication speed of Ubuntu

Enable the SSH service to allow Android phones to remotely access Ubuntu 14.04

How to add dual authentication for SSH in Linux

Configure the SFTP environment for non-SSH users in Linux

Configure and manage the SSH service on Linux

Basic SSH tutorial

This article permanently updates the link address: