1. Basic principles of PublicKey Authentication
Public Key (asymmetric, asypolicric) authentication uses a Pair of associated Key Pair (a Public Key, a Private Key, and a Private Key) to replace the traditional password (or the common password, password ). As the name suggests, PublicKey is used for disclosure. It can be stored in the account of the SSH server, while PrivateKey can only be kept by itself to prove its identity.
Only the corresponding PrivateKey can be used to decrypt data encrypted with PublicKey. In this way, the PublicKey owner can encrypt something through PublicKey and send it to the corresponding PrivateKey owner, if both parties have the PublicKey of the other party (their own PrivateKey is only kept by themselves), the Key Pair can be used to securely exchange information and implement mutual authentication. In use, we put our PublicKey on the server through a secure channel, and the PrivateKey is kept by ourselves (encrypted and stored with a password ), the PublicKey of the server is usually stored in the local client when you log on to the server for the first time (strictly speaking, the PublicKey of the server should also be stored in the local client through security channels, to prevent others from using their own PublicKey to cheat login ).
2. Advantages of Public Key Authentication over other SSH Authentication
Among the many SSH logon certifications, the traditional single Password authentication is used a lot, so here we mainly compare the Password in SSH Authentication) the difference between authentication and PublicKey authentication.
A. Authentication Based on the host IP address (rhost): This authentication is vulnerable to IP spoofing attacks when a host (IP address) is trusted and logged on. B. Kerberos Authentication: a large-scale domain-based authentication. This authentication is highly secure, but is too big, too complicated, and inconvenient to deploy.
C. PAM Authentication: similar to the traditional password authentication, it is an authentication and accounting module provided by the vast majority of Unix/Linux systems. It has complex functions and is difficult to configure. In addition, it is easy to cause security problems due to misconfiguration. Khan Wei
D. Traditional Unix/Linux Password (or Password) authentication: Enter the account Password directly on the client, and then send the SSH encrypted transmission to the server for verification. This authentication method has the following obviousDisadvantages:
1) To ensure password security, the password must be very long and complex, but such a passwordHard to remember;
2) for each account you own, different passwords must be set for different accounts for security purposes,Inconvenient to manage;
3) for the default account, the default password, such as the account used during installation, may be scanned by others who do not have the intention to change the password.Cause Security Vulnerabilities;
4) if the remote host has been attacked, even if the SSH Secure channel is used for protection, the password sent on the network may be intercepted when it reaches the remote host;
5) Every account must be manually logged on (for security purposes, the Password cannot be put in the script). As the number of servers increases, this work will become very cumbersome.
3. Public Key Configuration
You can use a public/private key authentication method for ssh Login. A simple explanation of the public/private key authentication method is as follows: Create a pair of public/private keys on the client (Public Key File :~ /. Ssh/id_rsa.pub; private key file :~ /. Ssh/id_rsa)
Then put the public key on the server (~ /. Ssh/authorized_keys) and keep the private key. when using ssh to log on, the ssh program will send a private key to match the public key on the server. if the match is successful, you can log on.
The procedure is as follows:
Local
Generate an rsa public key in the secret. Then copy it to the remote server that you want to authenticate to create a key.
ssh-keygen -t rsa
Enter the password.It has nothing to do with the remote SSH Login Password)
2. Copy the public key file to the remote server:
$ SCP ~ /. Ssh/id_dsa.pubUser@remote.host: Pubkey.txt
$ SshUser@remote.host
$ Mkdir ~ /. Ssh
$ Chmod 700. ssh
$ Cat pubkey.txt >> ~ /. Ssh/authorized_keys
$ Rm ~ /Pubkey.txt
$ Chmod 600 ~ /. Ssh /*
$ Exit
// Permission settings are very important because insecure settings prevent you from using the RSA function.
The Public-key authentication mechanism is safer than the password because the password is not transmitted over the network. in addition, it can be stored in an encrypted manner. For security purposes, you can also set a passphrase. In this way, it is useless for others to obtain the key.
If the above steps do not enable password-free login, you need to check whether the Pubkey authentication function of the sshd service is enabled by default.
/Etc/ssh/sshd_config:
PubkeyAuthentication yes
If you remember to restart your ssh service after the modification, use ssh-v to display the detailed login process.
Last step
We recommend that you do not use static passwords. You can disable password authentication by modifying the following content:
UsePAM yes
Is
UserPAM no
Disable Pam's traditional password authentication.
If you use Putty in Windows
If you want to use putty, because the SSH2 generated by SSH-keygen and the key format of putty are different, you cannot directly use it. You must use puttygen.exe to convert it:
Copy the id_rsalenovo method of linuxlinuxto windows, run puttygen.exe, select the menu conversions-> Import key, and save private key. Then you can use this private key to set putty.
Set Putty to key in Windows
1) Start putty, set the parameters of the session (if previously set, load it), select "ssh-> auth" on the left, and click the Browse button, select key. PPK file.
2) set the auto-login username, connection-> data-> auto-login Username
3) Select the session from the left and click Save to save the modification. Click the OPEN button to log on.
If there are no problems with the above operations, then the system should automatically log on without entering the password.
Putty's key is converted to SecureCRT's key
Previously, Putty was used to generate pub/private key. now puttygen.exe load private key is used, and conversions is used to export the private key in OpenSSH format, named identy. Then, pubkey is exported to identy. put pub in the same directory, and then specify the private key in the session of securecrt. Make sure to make it xx. pub. Otherwise, the user cannot find the password.
Example: securecrt
Create the C:/ssh directory on the Windows client, and copy the id_dsa and id_dsa.pub to C:/ssh files. Ensure that the file names are id_dsa and id_dsa.pub.
Configure scrt
Please confirm that securecrt is installed or upgraded to 4.0 or above. I am currently using 4.1 and then start the configuration.
Step 1: Open the Host Name Record for which you want to configure the certificate. After selecting the host name, click the icon in the red box in the figure to go to the detailed configuration interface of the host.
Step 2: On the connection page, set username to the user you want to log on to. This user is the user who just created the certificate. note this. In connection --> authentication, select publickey for the primary authentication method and click "properties ".
Step 3: select the use session public key, which means that different certificates are used for different sessions, which is useful for system administrators who manage a large number of hosts. If you only want to maintain a small number of machines, you can consider using the same set of certificates.
Use Identity file to open "... "button, browse my computer, find the C:/ssh directory, then see the id_dsa and id_dsa.pub files, select the id_dsa file, and then confirm, you can see the path is C: /ssh/id_dsa.
Save the configuration, disable securecrt, and then open the host with the certificate configured. Normally, you will be prompted to enter the key encryption word. after entering the key, you should be able to log on to the system.
Open another scrt window. Log on to the same host. Because scrt has cached certificates and encryption characters, you no longer need to enter the user name and password. This is very convenient to use!
From: http://hi.baidu.com/beijiqieys/blog/item/fe7b1303f7185a783812bbf6.html