The security of key pair verification in Linux system proved by actual combat
Key pair authentication: requires matching key information to be authenticated, first creating a pair of key files (public and private) on the client, and then placing the public key file on the server that needs to be connected remotely. When Telnet, the system submits the private key encryption identity information to the remote host and the remote host decrypts the authentication using the public key submitted by the other party.
This experiment is done through three parts:
1. Build key Pair
2, verify the reliability of the private key
3. Verify the reliability of the public key
First, build the key pair authentication SSH system:
(1) First create a key pair on PC1 (private key file: Id_rsa Public key file: id_rsa.pub)
(2) Upload a public key file to a server that requires remote connection
(3) using key pair authentication
1. Create key pair: ssh-keygen-t RSA does not set a phrase during creation (that is, the password used to encrypt the private key, because if a script needs to telnet to another server, a phrase waits for the administrator to enter a phrase, causing the script execution to pause).
650) this.width=650; "src=" Https://s2.51cto.com/wyfs02/M02/9C/1F/wKiom1lsc3eyztt3AAA_FMaxz_I215.png "title=" 1.png "alt=" Wkiom1lsc3eyztt3aaa_fmaxz_i215.png "/>
2. Copy the public key to another Linux host (PC2): Ssh-copy-id [email protected]
Check to see if the key pair was successfully created in the. SSH directory and then copy the public key to the other host
[[email protected] ~]# ls. ssh
Id_rsa id_rsa.pub
650) this.width=650; "src=" Https://s5.51cto.com/wyfs02/M01/9C/20/wKiom1lsc6nxBgILAABVf5a9bcQ051.png "title=" 2.png "alt=" Wkiom1lsc6nxbgilaabvf5a9bcq051.png "/>
650) this.width=650; "src=" Https://s4.51cto.com/wyfs02/M02/9C/20/wKiom1lsc7bhCB3KAABVf5a9bcQ295.png "title=" 3.png "alt=" Wkiom1lsc7bhcb3kaabvf5a9bcq295.png "/>
3. Remote login: SSH [email protected]
650) this.width=650; "src=" Https://s1.51cto.com/wyfs02/M02/9C/20/wKiom1lsc_HT7LK9AAAvmjEv130942.png "title=" 4.png "alt=" Wkiom1lsc_ht7lk9aaavmjev130942.png "/>
Through the above can see the login 192.168.80.100 do not need to enter the password authentication can be directly connected. Because PC1 uses the private key that was just generated to encrypt the data, the other party can decrypt it after receiving the public key, and the authentication succeeds. Consider a question: if the PC2 remote connection PC1 at this time, do you need to enter a password or do not need a direct connection success?
Second, verify the security after the loss of the private key
If the private key is lost, the user who gets the private key can connect to the PC2 remotely (the private key is not set phrase encryption when it is generated)
1, copy the private key to another Linux host (PC3) root, and then copy the private key from the pc3root to the normal user (yus) directory, verify that root and yus can connect remotely PC2
(1), CD to. ssh directory and copy id_rsa (private key) to PC3
650) this.width=650; "src=" Https://s2.51cto.com/wyfs02/M02/9C/20/wKioL1lsdAfgAcVuAAA-WlDbwnc077.png "title=" 5.png "alt=" Wkiol1lsdafgacvuaaa-wldbwnc077.png "/>
(2), on the PC3 to see if the copy is successful, and copy the Id_rsa file to the. SSH directory (if there is no. ssh directory to create a new. SSH directory with mkdir)
650) this.width=650; "src=" Https://s1.51cto.com/wyfs02/M00/9C/20/wKiom1lsdBryISGUAAAcBxEovgI131.png "title=" 6.png "alt=" Wkiom1lsdbryisguaaacbxeovgi131.png "/>
(3) Connect pc2:ssh [email protected]
650) this.width=650; "src=" Https://s3.51cto.com/wyfs02/M00/9C/20/wKioL1lsdE_iMXKtAAA4bmRXH3Q453.png "title=" 7.png "alt=" Wkiol1lsde_imxktaaa4bmrxh3q453.png "/>
You can see that you have successfully connected to PC2 and do not require password verification
Verify that a normal user can connect remotely
1, give yus to the Id_rsa file executable permissions
650) this.width=650; "src=" Https://s2.51cto.com/wyfs02/M00/9C/20/wKioL1lsdGiAMG3EAAA94KiU11c502.png "title=" 8.png "alt=" Wkiol1lsdgiamg3eaaa94kiu11c502.png "/>
2, and copy the Id_rsa file to the Yus user. SSH directory
[email protected]. ssh]# cp-p id_rsa/home/yus/
[email protected]. ssh]# Su-yus
[Email protected] ~]$ MKDIR/HOME/YUS/.SSH
3. Login to Pc2:ssh [email protected]
650) this.width=650; "src=" Https://s1.51cto.com/wyfs02/M00/9C/20/wKioL1lsdNfBwyKlAAA3_6iA5vA581.png "title=" 9.png "alt=" Wkiol1lsdnfbwyklaaa3_6ia5va581.png "/>
From the above conclusions can be obtained after the loss of the private key, any access to the private key can be logged to the PC2 server.
Third, verify the reliability after the public key loss
1. Copy the public key on the PC2 to the PC3
650) this.width=650; "src=" Https://s1.51cto.com/wyfs02/M00/9C/20/wKiom1lsdO_QD1aDAAA1H49_-vw020.png "title=" 10. PNG "alt=" Wkiom1lsdo_qd1adaaa1h49_-vw020.png "/>
2. Copy the public key file to the. SSH directory on the PC3, and remember to delete the previous private key file
650) this.width=650; "src=" Https://s1.51cto.com/wyfs02/M00/9C/20/wKioL1lsdP7RAfG4AAAegPZchKk289.png "title=" 11. PNG "alt=" Wkiol1lsdp7rafg4aaaegpzchkk289.png "/>
3, use PC1 to verify whether remote login PC3
650) this.width=650; "src=" Https://s5.51cto.com/wyfs02/M01/9C/20/wKiom1lsdQuzr3B0AAAt-AsqJ5s832.png "title=" 12. PNG "alt=" Wkiom1lsdquzr3b0aaat-asqj5s832.png "/>
As a result, the server that generated the key pair can remotely log on to the device with the public key after the public key is lost or stolen. This means that there is a public key on which device, the server can connect remotely, and the public key can be used either from the server or from another device. All public and private keys need to be stored properly.
Summary: SSH remote management is verified through key pair authentication through mutual encryption and decryption of the public and private keys. It can be seen from this experiment that both the public key and the private key are not lost, otherwise it will cause security problems. At the same time, the key pair verification is still much more secure than the password verification. It's good to work together in the right way in a proper scenario. Absolute security does not exist.
This article is from the "Sunshine School" blog, please be sure to keep this source http://yuan2.blog.51cto.com/446689/1948260
The security of key pair verification in Linux system proved by actual combat