Use SSH public key to automatically log into Linux server

As a Linux administrator, logging on to multiple Linux servers for remote operations is part of the daily work. But with the increase of the server, each login, the system will prompt to enter the user name and password, frequent input user name and password is a very annoying thing. Some people may say that you can use some of the client tools, such as: SECURECRT, and so on, it is very convenient for using these software, but these software is not expensive commercial software is attached to a specific platform to install the use, so today I am talking about using SSH The convenience that comes with the ability to use a client-side tool is to use SSH's public key for automatic login.






Test environment:
Operating system: Red Hat Enterprise Linux as Release 4 (Nahant Update 8)
Software version: OPENSSH_3.9P1, OpenSSL 0.9.7a
Management Server: ip: 192.168.0.1 machine Name: Server
Managed Server: ip: 192.168.0.2 machine Name: Client





First step: Generate SSH Public key pair
First of all, if you do not install OpenSSH, please install first, this nonsense, our current Linux server is installed by default OpenSSH software.
Generating a public key pair is generated on the Management Server:











[Email protected] ~] # Ssh-keygen-b 1024-t RSA
Generating public / private RSA key pair. #Prompt that rsa key pair is being generated





Enter file in which to save the key (/HOME/USRNAME/.SSH/ID_DSA): #Ask where public and private keys are stored, enter with default location





Enter passphrase (empty for no passphrase): #Ask for a private key passphrase, enter a passphrase





Enter same passphrase again: #Ask for password confirmation again





Your identification has been saved IN / HOME / USRNAME / .SSH / ID_DSA. #Prompt that the public and private keys have been stored in the / root / .ssh / directory
Your public key has been saved in / home / usrname / .ssh / id_dsa.pub.





The key fingerprint is:
x6: 68: xx: 93: 98: 8x: 87: 95: 7x: 2x: 4x: x9: 81: xx: 56: 94 [email protected] #prompt the fingerprint of the key











Simply explain:
-B 1024 uses a 1024-byte public / private key pair, a maximum of 4096 bytes, a general 1024 or 2048 is sufficient to meet security needs, too long, encryption and decryption takes time to grow.
-T RSA uses RSA encryption public / private key pair, in addition to RSA and DSA mode, RSA mode can not be less than 768 bytes length.
Refer to man Ssh-keygen if you need to use more other parameters.





In the process of generating a key pair you are asked: Enter a password passphrase (empty for no passphrase), password (passphrase) is you use a phrase or a word as a password input, After the encryption or hashing algorithm inside the system to generate the virtual password, the next step of authentication. The advantage is enhanced security is not easy to crack. Read a lot of articles, the inside of this sentence input is empty, that is, the representative does not use a password. Here I strongly ask you to enter a password. Some people will say that the use of passwords after the login to enter the password is no more than the use of user name and password landing convenient how much, I said please do not hurry, and then read my article.
Note: If you generate a key pair without setting a passphrase, then if your private key is lost, then your problem may be worse than losing your username and password.





Step Two: Copy your public key to the managed server
Copy your public key to the user directory on the managed server that you want to log on automatically on your Management server.









[Email protected] ~] # SCP. Ssh / id_dsa.pub [email protected]: #For example, if you want to log in with user peter, remote_usrname please use Peter instead








Renaming and Setting permissions
Login to the managed server, enter the user directory that requires remote login, put the public key into the user directory. SSH directory (if the directory does not exist, you need to create the ~ / .SSH directory, and set the directory permissions to 700), the public key renamed to Authorized_keys2, and set its user rights to 600.









[[email protected] ~] $ ls
Id_rsa.pub
[[email protected] ~] $ mkdir ~ / .ssh #If there is no current user directory. SSH directory, please create a directory first
[Email protected] ~] $ chmod ~ / .ssh
[Email protected] ~] $ MV Id_rsa.pub ~ / .ssh
[Email protected] ~] $ CD ~ / .SSH
[email protected] ~] $ cat id_rsa.pub >> authorized_keys2
[Email protected] ~] $ rm-f id_rsa.pub
[Email protected] ~] $ chmod authorized_keys2
[Email protected] ~] $ ls-l
Total 4
-RW ------- 1 Peter Peter 225 Oct 11:28 Authorized_keys2








Testing a remote login using a key pair









[[email protected] ~] # SSH [email protected]
Enter passphrase for key '/root/.ssh/id_rsa': #Prompt for passphrase, enter the passphrase you just set
Last Login: sun Oct ten 11:32:14 from 192.168.0.1
[Email protected] ~] $








If you can't log in correctly, you should check your AUTHORIZED_KEYS2 permissions again. You may also want to check the permissions of the. SSH directory.





Use Ssh-agent (SSH proxy) to automatically enter passphrase
Keep in mind your "passphrase" and now you can log in to your server with your key instead of the password, but this still doesn't save anything, you still have to enter the key "passphrase". Is there a more convenient way to do it? The answer is to use an SSH proxy (ssh-agent), a program to help you remember the phrase "passphrase." Ssh-agent is the SSH agent that is included by default in OpenSSH.





Log in to the Management Server









[Email protected] ~] # ssh-agent
ssh_auth_sock = / tmp / ssh-vegjcm2147 / agent.2147; Export Ssh_auth_sock;
ssh_agent_pid = 2148; Export ssh_agent_pid;
echo Agent pid 2148;








When you run ssh-agent, it will print out the environment and variables it uses for SSH. There are two ways to use these variables, one is to declare environment variables manually, and the other is to run the eval command to automatically declare environment variables.





Method One: Manually declare environment variables









[Email protected] ~] # ssh_auth_sock = / tmp / ssh-vegjcm2147 / agent.2147; Export Ssh_auth_sock;
[Email protected] ~] # ssh_agent_pid = 2148; Export ssh_agent_pid;
[Email protected] ~] # Printenv | grep ssh #Check SSH environment variable has been added to the environment variable of the current session
ssh_agent_pid = 2148
ssh_auth_sock = / tmp / ssh-vegjcm2147 / agent.2147








Method Two: Run the eval command to automatically declare environment variables









[[Email protected] ~] # eval 'ssh-agent'
Agent PID 2157
[Email protected] ~] # Printenv | grep ssh #Check SSH environment variable has been added to the environment variable of the current session
ssh_agent_pid = 2148
ssh_auth_sock = / tmp / ssh-vegjcm2147 / agent.2147








Now Ssh-agent is already running, but the ssh-agent inside is blank and there is no private key to decrypt. We're going to tell him where we have the private key and the private key. This requires the use of the Ssh -add command to add our private key to the ssh-agent cache.









[Email protected] ~] # Ssh-add ~ / .SSH / ID_DSA
Enter Passphrase FOR / HOME / USER / .SSH / ID_DSA: #Enter your passphrase
Identity added: /home/user/.ssh/id_dsa (/HOME/USER/.SSH/ID_DSA)
[[email protected] ~] # ssh-add-l #View The cached content of the SSH proxy
1024x768 72: 78: 5e: 6b: 16: fd: f2: 8c: 81: b1: 18: e6: 9f: 77: 6e: be / root / .ssh / id_rsa (RSA)











Enter a password, now you can log in to your remote server without entering your passphrase, and your private key is password protected. It's not cool to try!









[[email protected] ~] # SSH [email protected]
Last Login: sun Oct ten 11:32:45 from 192.168.0.1
[Email protected] ~] $








Login server After the operation is over, remember to turn off the ssh-agent, or other people can be remote after landing.









[Email protected] ~] # ssh-agent-k
Unset Ssh_auth_sock;
Unset ssh_agent_pid;
Echo Agent pid 2148 killed;
[Email protected] ~] # ssh-add-l #Check it out, there's no key in the cache.
The agent has no identities.








Oh, cool, of course. If you manage a large number of servers (the number of servers ≥ 2 digits), the first time to upload the public key may be more tired work, but in the future can be in the maintenance work of the public key to realize the convenience of automatic landing.





This article is from the "small Seedlings" blog, please be sure to keep this source http://7056824.blog.51cto.com/69854/403669





Use SSH public key to automatically log into Linux server