Use digital signature RSA or DSA to implement ssh between two linux machines without the user name and password, rsassh
To enable two linux machines to use ssh, the user name and password are not required. Therefore, the digital signature RSA or DSA is used to complete this operation.
Model Analysis
Assume that A (192.168.000059) is the customer's machine, and B (192.168.000060) is the target machine;
Goals:
Machine A does not need to enter A password to log on to machine B through ssh;
Select rsa for encryption. | dsa is supported. The default value is dsa.
Ssh-keygen-t rsa # use rsa Encryption
Ii. Procedure
One-way login operation process (to meet the above objectives ):
1. log on to machine
2. ssh-keygen-t [rsa | dsa] will generate the key file and private key file id_rsa, id_rsa.pub or id_dsa, id_dsa.pub
3. Copy the. pub file to the. ssh directory of machine B and cat id_dsa.pub >> ~ /. Ssh/authorized_keys
4. As A result, you can log on to the target account of machine B from machine A without A password. (run # ssh 192.168.20.60 directly)
Two-way login operation process:
1. ssh-keygen performs password verification to enable ssh on the opposite machine. scp does not need to use the password. The specific method is as follows:
2. perform the following operations on both nodes: # ssh-keygen-t rsa
Then press enter to use the default value.
3. A key pair is generated and stored in the user directory ~ /. Ssh.
Test the public key in the user directory of the target machine and copy it ~ /. Ssh/authorized_keys (Operation Command: # cat id_dsa.pub >> ~ /. Ssh/authorized_keys ).
4. Set file and directory permissions:
Set authorized_keys Permissions
$ Chmod 600 authorized_keys
Set. ssh Directory Permissions
$ Chmod 700-R. ssh
5. Ensure that. ssh and authorized_keys have write permission only for the user. Otherwise, the verification is invalid. (This is the problem we have encountered today. I have been looking for a long time.) In fact, I think about it carefully to avoid system vulnerabilities.
When I access 20.60 from 20.59, the following error is prompted:
Theauthenticityofhost '2017. 168.000059 (192.168.000059) 'CAN' tbeestablished. RSAkeyfingerprintis6a: 37: c0: e1: 09: a4: 29: 8d: 68: d0: ca: 21: 20: 94: be: 18. areyousureyouwanttocontinueconnecting (yes/no) yesWarning: Permanentlyadded '2017. 168.20.59 '(RSA) tothelistofknownhosts.root@192.168.20.59 'spassword: Permissiondenied, pleasetryagain.root@192.168.20.59 'spassword: Permissiondenied, pleasetryagain.root@192.168.20.59 'spassword: Permissiondenied (publickey, gssapi-with-mic, password ).
Iii. Summary
1. Do not set the file and directory permissions to chmod 777. This permission is too large, insecure, and not supported by digital signatures. I started to save time.
2. The generated rsa/dsa Signature public key is used by the other machine. The public key must be copied to authorized_keys.
3. Access the ip address of the ssh machine directly between linux
4. A machine generates its own RSA or DSA digital signature, sends the public key to the target machine, and then sets the relevant permissions (Public Key and authorized_keys permissions) after receiving the request ), the target machine can be accessed without a password by the machine that generates a digital signature.
Ssh-keygen: Set ssh password-less Login
Ssh-keygen-generate, manage, and convert authentication keys, including RSA and DSA keys
You can use the-t option to specify the key type. If not specified, the RSA key for SSH-2 is generated by default
Configuration:
1. In the local machine ~ Run the following command in the/. ssh/directory:
Ssh-keygen-t dsa
Two files are generated: id_dsa and id_dsa.pub.
2. Copy id_dsa.pub to a remote machine and add the id_dsa.pub content ~ /. Ssh/authorized_keys
Cat id_dsa.pub> authorized_keys
Note: The permission for directory. ssh and file authorized_keys must be 600
After completing the preceding operations, you do not need to use a password from the local machine to the remote machine.
The role of several files, from http://lamp.linux.gov.cn/OpenSSH/ssh-keygen.html
~ /. Ssh/identity
The user's default RSA1 authentication private key (SSH-1 ). The permission for this file should be limited to at least "600 ".
When generating a key, you can specify a secret to encrypt the private key (3DES ).
Ssh will read this file during login.
~ /. Ssh/identity. pub
The user's default RSA1 authentication Public Key (SSH-1 ). This file does not need to be kept confidential.
The content of this file should be added to the ~ Of All RSA1 target hosts ~ /. Ssh/authorized_keys file.
~ /. Ssh/id_dsa
The user's default DSA Identity Authentication private key (SSH-2 ). The permission for this file should be limited to at least "600 ".
When generating a key, you can specify a secret to encrypt the private key (3DES ).
Ssh will read this file during login.
~ /. Ssh/id_dsa.pub
The user's default DSA authentication Public Key (SSH-2 ). This file does not need to be kept confidential.
The content of this file should be added to all the DSA target hosts ~ /. Ssh/authorized_keys file.
~ /. Ssh/id_rsa
The default RSA Authentication private key (SSH-2) for this user ). The permission for this file should be limited to at least "600 ".
When generating a key, you can specify a secret to encrypt the private key (3DES ).
Ssh will read this file during login.
~ /. Ssh/id_rsa.pub
The user's default RSA Authentication Public Key (SSH-2 ). This file does not need to be kept confidential.
The content of this file should be added to all RSA target hosts ~ /. Ssh/authorized_keys file.
/Etc/ssh/moduli
Contains Diffie-Hellmangroups for DH-GEX
BG2BLT01 is on, BG2BLT02 is power off. They're too noisy L
When and how to move them to data center
Please update SSH key in. 33 server for git repo access.
Ssh-keygen-t dsa
Scp ~ /. Ssh/id_dsa.pub [YOUR_USER_NAME] @ 10.38.116.33: authorized_keys
Ssh [YOUR_USER_NAME] @ 10.38.116.33
Skip below 3 steps if you already have. ssh and. ssh/authorized_keys
Mkdir-m 700. ssh
Touch. ssh/authorized_keys
Chmod 600. ssh/authorized_keys
Cat authorized_keys>. ssh/authorized_keys; exit
Vi ~ /. Ssh/config
Add lines and save quit
Host 10.38.116.33
User [YOUR_USER_NAME]