SSH password-free login and its principle

SSH login with no password to use the public and private keys. Linux can be used to generate a public/private key pair with Ssh-keygen, below I take CentOS as an example.

There is machine A (192.168.1.155), B (192.168.1.181). Now want to a through SSH password-free login to B.

1. Generate a public/private key pair under the a machine.

[[email protected] ~]$ ssh-keygen -t RSA -P '

Direct Ssh-keygen and then three-time carriage return is possible.
-P for the password,-p ' means the empty password, you can not use the-p parameter, so that three cars to enter, with-P on a return.
It generates the. SSH directory under/HOME/CHENLB, with Id_rsa and id_rsa.pub under SSH.

2. Copy the id_rsa.pub under the A machine to B machine, in the. ssh/authorized_keys file of B machine, I use SCP to copy. (If the B machine does not have. SSH and Authorized_keys files create this folder and file first)

[[Email protected]~]$ SCP. SSH/id_rsa.pub [email protected]192.168.1.181:/Home/Chenlb/Id_rsa.pub
[Email protected]192.168. 1.181 ' s password:
id_rsa.pub                                      100%  223      0.2kb/s    00:00

Since there is no password-free login, enter the password.

The 3.B machine adds the id_rsa.pub copied from a machine to the. ssh/authorzied_keys file.

[email protected] ~]$ cat id_rsa.pub >> . SSH/Authorized_keys
[Email protected] ~]$ chmod ssh/authorized_keys

Authorized_keys's permission.

4.A Machine login B machine.

[[Email protected]~]$ SSH192.168.1.181
The authenticity of host‘192.168.1.181 (192.168.1.181)‘Can‘t be established.
RSA Key FingerprintIs00: a6:a8:87: Eb:c7:40:10:39: Cc:a0:eb:50:d 9:6a:5b.
Is you sure-want toContinueConnecting (yes/NO)? Yes
Warning:permanently added ' 192.168.1.181 "  (RSA)  to the list of known hosts.
Last login: thu jul  3  09:53:18 2008 from  chenlb
[[Email protected] ~< Span style= "color: #000000;" >]$

The first time you log in is when you want to enter Yes.

Now a machine can be no password login B machine.

Summary: Log on the machine can have a private key, the machine to be logged on to have the public key of the machine. This public/private key pair is typically generated on the private key host. Above is the RSA algorithm's public/private key pair, of course, you can also use DSA (the corresponding file is id_dsa,id_dsa.pub)

Want to let A, B machine without password mutual login, that machine is configured in the same manner as above.

--------------------------------------------------------------------------------------------------------------- -------------------------------------------------------------------------------------------------

SSH is a security protocol based on the application layer and the transport layer. SSH is currently a more reliable protocol that provides security for Telnet sessions and other network services. The use of SSH protocol can effectively prevent the information leakage in the remote management process.

From the client side, SSH provides two levels of security validation:

1. Password-based authentication

As long as you know your account number and password, you can log on to the remote host. All transmitted data is encrypted, but the downside is that there is no guarantee that the server you are connecting to is the one you want to connect to. Here is the login verification process I drew:

When you first link to the remote host, you will be prompted for the current host's "Public key fingerprint", asking if you continue, if you choose to continue to enter a password to log in, when the remote host accepts, the server's public key will be saved to the ~/.ssh/known_hosts file.

2 . Key-based authentication

The premise of this validation is that the client needs to generate a pair of keys and place the public key on the remote server that needs to be accessed. This kind of validation is better than the previous one, because the real server cannot be counterfeited, because the client-generated public key must be obtained for phishing. The downside is that the verification wait is a little longer.

How to generate the key:

1, open the terminal in the client, execute Ssh-keygen, the command will be created by default in the ~/.ssh/directory Id_rsa, id_rsa.pub two files, respectively, your public and private keys.

2, the public key id_rsa.pub file is copied to the server-side ~/.ssh/authorized_keys file, there are three ways:

• Through the SCP copy:
  • Example: scp-p ~/.ssh/id_rsa.pub [email Protected]:~/authorized_keys #可选参数-p represents the specified port number 22
• Through the Ssh-copyid program:
  • Example: Ssh-copy-id [email protected] #此种方式简单, do not need to append to the file name, but cannot specify the port number, default to 22 port
• Through the Cat method:
  • Example: Cat ~/.ssh/id_rsa.pub | ssh-p [email protected] ' cat >> ~/.ssh/authorized_keys '

----------------------------------------------------------------------------------------------------

Password-Free login principle

Diagram, Server A is free to log on to server B:
1. Generate the public key on a.
2. Copy the public key to server B and rename it to Authorized_keys (meaning is known from the English name)
3.Server A sends a connection request to Server B.
4.Server B Gets the information of server A, finds it in Authorized_key, generates a random string if there is a corresponding user name and IP, and sends it to server A by encrypting the public key of server A.
5.Server a receives a message from Server B, decrypts it with the private key, and then sends the decrypted string to Server B. Server b contrasts with build and, if consistent, allows for free login.
In short: A to password-free login to b,b first to have a public key, and then B to do a cryptographic verification. For asymmetric encryption, the ciphertext of public key encryption cannot be solved by the public key, only the private key.

SSH password-free login and its principle