Use digital signature RSA or DSA to implement ssh between two linux machines without the user name and password, rsassh

Source: Internet
Author: User

Use digital signature RSA or DSA to implement ssh between two linux machines without the user name and password, rsassh

To enable two linux machines to use ssh, the user name and password are not required. Therefore, the digital signature RSA or DSA is used to complete this operation.

Model Analysis

Assume that A (192.168.000059) is the customer's machine, and B (192.168.000060) is the target machine;

Goals:

Machine A does not need to enter A password to log on to machine B through ssh;

Select rsa for encryption. | dsa is supported. The default value is dsa.

Ssh-keygen-t rsa # use rsa Encryption

Ii. Procedure

One-way login operation process (to meet the above objectives ):

1. log on to machine

2. ssh-keygen-t [rsa | dsa] will generate the key file and private key file id_rsa, id_rsa.pub or id_dsa, id_dsa.pub

3. Copy the. pub file to the. ssh directory of machine B and cat id_dsa.pub >> ~ /. Ssh/authorized_keys

4. As A result, you can log on to the target account of machine B from machine A without A password. (run # ssh 192.168.20.60 directly)

Two-way login operation process:

1. ssh-keygen performs password verification to enable ssh on the opposite machine. scp does not need to use the password. The specific method is as follows:

2. perform the following operations on both nodes: # ssh-keygen-t rsa

Then press enter to use the default value.

3. A key pair is generated and stored in the user directory ~ /. Ssh.

Test the public key in the user directory of the target machine and copy it ~ /. Ssh/authorized_keys (Operation Command: # cat id_dsa.pub >> ~ /. Ssh/authorized_keys ).

4. Set file and directory permissions:

Set authorized_keys Permissions

$ Chmod 600 authorized_keys

Set. ssh Directory Permissions

$ Chmod 700-R. ssh

5. Ensure that. ssh and authorized_keys have write permission only for the user. Otherwise, the verification is invalid. (This is the problem we have encountered today. I have been looking for a long time.) In fact, I think about it carefully to avoid system vulnerabilities.

When I access 20.60 from 20.59, the following error is prompted:

Theauthenticityofhost '2017. 168.000059 (192.168.000059) 'CAN' tbeestablished. RSAkeyfingerprintis6a: 37: c0: e1: 09: a4: 29: 8d: 68: d0: ca: 21: 20: 94: be: 18. areyousureyouwanttocontinueconnecting (yes/no) yesWarning: Permanentlyadded '2017. 168.20.59 '(RSA) tothelistofknownhosts.root@192.168.20.59 'spassword: Permissiondenied, pleasetryagain.root@192.168.20.59 'spassword: Permissiondenied, pleasetryagain.root@192.168.20.59 'spassword: Permissiondenied (publickey, gssapi-with-mic, password ).

Iii. Summary

1. Do not set the file and directory permissions to chmod 777. This permission is too large, insecure, and not supported by digital signatures. I started to save time.

2. The generated rsa/dsa Signature public key is used by the other machine. The public key must be copied to authorized_keys.

3. Access the ip address of the ssh machine directly between linux

4. A machine generates its own RSA or DSA digital signature, sends the public key to the target machine, and then sets the relevant permissions (Public Key and authorized_keys permissions) after receiving the request ), the target machine can be accessed without a password by the machine that generates a digital signature.

Ssh-keygen: Set ssh password-less Login

Ssh-keygen-generate, manage, and convert authentication keys, including RSA and DSA keys

You can use the-t option to specify the key type. If not specified, the RSA key for SSH-2 is generated by default

Configuration:

1. In the local machine ~ Run the following command in the/. ssh/directory:

Ssh-keygen-t dsa

Two files are generated: id_dsa and id_dsa.pub.

2. Copy id_dsa.pub to a remote machine and add the id_dsa.pub content ~ /. Ssh/authorized_keys

Cat id_dsa.pub> authorized_keys

Note: The permission for directory. ssh and file authorized_keys must be 600

After completing the preceding operations, you do not need to use a password from the local machine to the remote machine.

The role of several files, from http://lamp.linux.gov.cn/OpenSSH/ssh-keygen.html

~ /. Ssh/identity

The user's default RSA1 authentication private key (SSH-1 ). The permission for this file should be limited to at least "600 ".

When generating a key, you can specify a secret to encrypt the private key (3DES ).

Ssh will read this file during login.

~ /. Ssh/identity. pub

The user's default RSA1 authentication Public Key (SSH-1 ). This file does not need to be kept confidential.

The content of this file should be added to the ~ Of All RSA1 target hosts ~ /. Ssh/authorized_keys file.

~ /. Ssh/id_dsa

The user's default DSA Identity Authentication private key (SSH-2 ). The permission for this file should be limited to at least "600 ".

When generating a key, you can specify a secret to encrypt the private key (3DES ).

Ssh will read this file during login.

~ /. Ssh/id_dsa.pub

The user's default DSA authentication Public Key (SSH-2 ). This file does not need to be kept confidential.

The content of this file should be added to all the DSA target hosts ~ /. Ssh/authorized_keys file.

~ /. Ssh/id_rsa

The default RSA Authentication private key (SSH-2) for this user ). The permission for this file should be limited to at least "600 ".

When generating a key, you can specify a secret to encrypt the private key (3DES ).

Ssh will read this file during login.

~ /. Ssh/id_rsa.pub

The user's default RSA Authentication Public Key (SSH-2 ). This file does not need to be kept confidential.

The content of this file should be added to all RSA target hosts ~ /. Ssh/authorized_keys file.

/Etc/ssh/moduli

Contains Diffie-Hellmangroups for DH-GEX

BG2BLT01 is on, BG2BLT02 is power off. They're too noisy L

When and how to move them to data center

Please update SSH key in. 33 server for git repo access.

Ssh-keygen-t dsa

Scp ~ /. Ssh/id_dsa.pub [YOUR_USER_NAME] @ 10.38.116.33: authorized_keys

Ssh [YOUR_USER_NAME] @ 10.38.116.33

Skip below 3 steps if you already have. ssh and. ssh/authorized_keys

Mkdir-m 700. ssh

Touch. ssh/authorized_keys

Chmod 600. ssh/authorized_keys

Cat authorized_keys>. ssh/authorized_keys; exit

Vi ~ /. Ssh/config

Add lines and save quit

Host 10.38.116.33

User [YOUR_USER_NAME]

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.