The role of the cluster to build ssh and the meaning of these commands

Source: Internet
Author: User
Tags tar xz

Authorized_keys file

The remote host stores the user's public key in the $home/.ssh/authorized_keys file of the user's home directory after logging in. The public key is a string, just append it to the end of the Authorized_keys file.


Instead of using the Ssh-copy-id command above, use the following command to explain the saving process for the public key:


    1. $ SSH [email protected] ' mkdir-p. SSH && cat >>. Ssh/authorized_keys ' < ~/.ssh/id_rsa.pub
Copy Code

This command consists of multiple statements, broken down in turn, to see:(1) "$ ssh [email protected]" means login to the remote host;
(2) mkdir. SSH && cat >>. Ssh/authorized_keys in single quotes, indicating the command executed on the remote shell after login:
(3) The role of "$ mkdir-p. SSH" is to create one if the. ssh directory in the home directory does not exist;
(4) The role of ' cat >> Ssh/authorized_keys ' < ~/.ssh/id_rsa.pub is to ~/.ssh/id_ the local public key file Rsa.pub, the redirect is appended to the end of the remote file Authorized_keys.

After writing the Authorized_keys file, the settings for the public key login are complete. 、



The above is the purpose of this article to let you know what we are in the process of building a cluster, the role of using SSH and the meaning of these commands.


If you want to learn more about SSH, you can view the following.



One, what is SSH?

Simply put, SSH is a network protocol that is used to encrypt logins between computers.
If a user logs on to another remote computer using the SSH protocol from the local computer, we can assume that the login is secure, and that the password will not be compromised even if intercepted in the middle.
It should be noted that SSH is only a protocol, there are many implementations, both commercial and open source implementation. The implementation of this article is OpenSSH, it is free software, the application is very extensive.
In addition, this article only discusses the use of SSH in a Linux shell. If you are using SSH in a Windows system, you will use another software putty, which is not described here.

Second, the most basic usage

SSH is primarily used for remote logins. Suppose you want to log in to the remote host hostname with the username user, as long as a simple command is available.

    1. $ SSH [email protected]
Copy Code

The default port for SSH is 22, which means that your login request is sent to port 22 on the remote host. Using the P parameter, you can modify this port.

    1. $ ssh-p 2222 [email protected]
Copy Code

The above command indicates that SSH connects directly to port 2222 of the remote host.



Third, man-in-the-middle attack

SSH guarantees security because it uses public-key cryptography.

The whole process is this: (1) The remote host receives the user's login request, and sends its own public key to the user. (2) The user uses this public key to encrypt the login password and send it back. (3) The remote host with its own private key, decrypt the login password, if the password is correct, consent to user login.

The process itself is secure, but when implemented, there is a risk: if someone intercepts a login request and then pretends to be a remote host, the fake public key is sent to the user, making it difficult for the user to discern the authenticity. Because unlike the HTTPS protocol, the public key of the SSH protocol is not notarized by the Certificate Authority (CA), that is, it is issued by itself.

It can be assumed that if an attacker is plugged in between a user and a remote host (for example, in a public WiFi zone), a forged public key is used to obtain the user's login password. Then use this password to log on to the remote host, then SSH security mechanism is gone. This risk is known as the "man-in-the-middle attack" (Man-in-the-middle attack).
How is the SSH protocol coping?


Four, password login

If you are logged in to the other host for the first time, the following prompt will appear:

    1. $ SSH [email protected]
    2. The authenticity of host ' host (12.18.429.21) ' can ' t is established.
    3. RSA key fingerprint is 98:2e:d7:e0:de:9f:ac:67:28:c2:42:2d:37:16:58:4d.
    4. Is you sure want to continue connecting (yes/no)?
Copy Code

This passage means that you cannot confirm the authenticity of the host computer, only know its public key fingerprint, ask you still want to continue to connect?

The so-called "public key fingerprint", refers to the long public key length (here using the RSA algorithm, up to 1024-bit), it is difficult to compare, so the MD5 calculation, it becomes a 128-bit fingerprint. The above example is 98:2e:d7:e0:de:9f:ac:67:28:c2:42:2d:37:16:58:4d, and then compare, it is much easier.

A natural question is, how do users know what the remote host's public key fingerprint should be? The answer is no good way, the remote host must be posted on their own web site public key fingerprint, so that users self-check.

Assuming that the risk is measured, the user decides to accept the public key of the remote host.

    1. Is you sure want to continue connecting (yes/no)? Yes
Copy Code

The system will appear with a hint that the host hosts have been recognized.

    1. warning:permanently added ' host,12.18.429.21 ' (RSA) to the list of known hosts.
Copy Code

You will then be asked to enter a password.

    1. Password: (Enter Password)
Copy Code

If the password is correct, you can log in.

When the public key of the remote host is accepted, it is saved in the file $home/.ssh/known_hosts. The next time you connect to this host, the system will recognize that its public key has been saved locally, thus skipping the warning section and prompting for a password directly.

Each SSH user has its own known_hosts file, and the system also has a file like this, usually/etc/ssh/ssh_known_hosts, that holds the public key for a remote host that can be trusted by all users.

(it says a bunch of things, which means it's not too safe to sign in.)

Five, public key login

Log in with a password, you must enter the password every time, very troublesome. Fortunately, SSH also provides a public key login, which eliminates the steps to enter a password.

The so-called "public key Login" principle is simple, that is, the user stores their own public key on the remote host. When logged in, the remote host sends a random string to the user, which is encrypted with his or her private key and then sent back. The remote host decrypts with a pre-stored public key and, if successful, proves that the user is trustworthy, allowing the login shell to be logged in and no longer requiring a password.

This approach requires the user to provide their own public key. If there is no ready-made, you can generate one directly with Ssh-keygen:

    1. $ ssh-keygen
Copy Code

After you run the above command, a series of prompts will appear and you can return all the way. One of the questions is whether you want to set a password on the private key (passphrase), and if you are concerned about the security of the private key, you can set one here.

At the end of the run, the $home/.ssh/directory will be reborn into two files: Id_rsa.pub and Id_rsa. The former is your public key, and the latter is your private key.


Then enter the following command to transfer the public key to the remote host hosts:

    1. $ ssh-copy-id [email protected]
Copy Code

OK, then you log in again, you do not need to enter the password.

If not, open the remote host's/etc/ssh/sshd_config this file, check the following lines before the "#" comment is removed.

    1. Rsaauthentication Yes
    2. Pubkeyauthentication Yes
    3. Authorizedkeysfile. Ssh/authorized_keys
Copy Code

Then, restart the remote host's SSH service.

    1. Ubuntu system
    2. Service SSH Restart
    3. Debian system
    4. /etc/init.d/ssh restart
Copy Code

Vi.. authorized_keys file

The remote host stores the user's public key in the $home/.ssh/authorized_keys file of the user's home directory after logging in. The public key is a string, just append it to the end of the Authorized_keys file.


Instead of using the Ssh-copy-id command above, use the following command to explain the saving process for the public key:



    1. $ SSH [email protected] ' mkdir-p. SSH && cat >>. Ssh/authorized_keys ' < ~/.ssh/id_rsa.pub
Copy Code

This command consists of multiple statements, broken down to see: (1) "$ ssh [email protected]", which means login to the remote host, (2) mkdir in single quotes. SSH && cat >>. ssh/authorized_ Keys, which indicates the command executed on the remote shell after login: (3) "$ mkdir-p. SSH" is used if the. SSH directory in the home directory does not exist, create one; (4) ' Cat >> Ssh/authorized_keys ' The function of < ~/.ssh/id_rsa.pub is to append the local public key file ~/.ssh/id_rsa.pub to the end of the remote file Authorized_keys.

After writing the Authorized_keys file, the settings for the public key login are complete.


Here are some examples of remote logins:


Let's look at a few examples.

"Example 1"

Copy all files under the $home/src/directory to the $home/src/directory of the remote host.

    1. $ cd && tar czv src | SSH [email protected] ' tar xz '
Copy Code

"Example 2"

Copy all files under the remote host $home/src/directory to the user's current directory.

    1. $ SSH [email protected] ' tar cz src ' | Tar Xzv
Copy Code

"Example 3"

See if the remote host is running process httpd.

    1. $ SSH [email protected] ' PS Ax | grep [h]ttpd '
Copy Code

The role of the cluster to build ssh and the meaning of these commands

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.