Use the SSH Public Key for password-free Login

Use the SSH Public Key for password-free Login

 

SSH password-less logon requires the public key and private key. In Linux, ssh-keygen can be used to generate public/private key pairs. The following uses centos as an example.

There are machines A (10.207.160.34) and B (10.221.32.234 ). Now I want a to log on to B via SSH without a password.
First, use the root account as an example.

1. Generate a public/private key pair on host.

ssh-keygen -t rsa -P ‘‘

-P indicates the password.-P ''indicates that the password is empty, or you do not need the-p parameter. In this case, you have to press enter three times and press enter once with-P.

The command will be in ~ /. A pair of keys id_rsa and id_rsa.pub are generated under the SSH directory.

The ssh rsa key is generally used:
Id_rsa Private Key
Id_rsa.pub Public Key
The following command generates different types of keys
Ssh-keygen-T DSA
Ssh-keygen-T RSA
Ssh-keygen-T rsa1

Execution result:

[[email protected]_32_234_centos ~]$ ssh-keygen -t rsa -P ‘‘Generating public/private rsa key pair.Enter file in which to save the key (/home/hadoop/.ssh/id_rsa): Created directory ‘/home/hadoop/.ssh‘.Your identification has been saved in /home/hadoop/.ssh/id_rsa.Your public key has been saved in /home/hadoop/.ssh/id_rsa.pub.The key fingerprint is:c6:ae:f2:7b:d1:54:eb:30:c3:ee:a1:ea:89:14:da:97 [email protected]_32_234_centosThe key‘s randomart image is:+--[ RSA 2048]----+|                 ||            .    ||         . . .   ||       .  * .    ||    .   S+ =     ||   o . +. + .    ||  . o E .+ .     ||   ..o oo .      ||    .+B+         |+-----------------+

 

2. Place ~ /. Ssh/id_rsa.pub copy to ~ of machine B ~ In the/. Ssh/authorized_keys file, you must first create ~ /. Use SCP to copy the directory ssh.

scp ~/.ssh/id_rsa.pub [email protected]:~/.ssh/authorized_keys

Execution result:

[email protected]_160_34_centos:~> scp ~/.ssh/id_rsa.pub [email protected]:~/.ssh/authorized_keysThe authenticity of host ‘node1 (10.221.32.234)‘ can‘t be established.RSA key fingerprint is 4a:bc:1e:ca:18:87:39:af:e4:dd:c4:ce:c1:7b:c7:66.Are you sure you want to continue connecting (yes/no)? yesWarning: Permanently added ‘node1,10.221.32.234‘ (RSA) to the list of known hosts.[email protected]‘s password: id_rsa.pub                                    100%  405     0.4KB/s   00:00    

Because no password-free logon is available, you need to enter the password of the current user B once.

[email protected]_160_34_centos:~> ssh Node1[email protected]‘s password: Last login: Tue Aug 19 21:29:46 2014 from master

 

3.The authorized_keys permission is 600 !!!

chmod 600 ~/.ssh/authorized_keys

 

4. Machine A logs on to machine B.

[[email protected]_32_234_centos ~]$ ssh node1Last login: Tue Aug 19 22:05:43 2014 from master

 

 

Ssh-keygen usage

 

Assume that machine a is the customer machine, and machine B is the target machine;

Goals:
Machine A does not need to enter a password to log on to machine B through SSH;
Select RSA for encryption. | DSA is supported. The default value is DSA.

Practice:
1. log on to machine
2. Ssh-keygen-T [RSA | DSA] will generate the key file and private key file id_rsa, id_rsa.pub or id_dsa, id_dsa.pub
3. Copy the. Pub file to the. Ssh directory of machine B and CAT id_dsa.pub >> ~ /. Ssh/authorized_keys
4. As a result, the user no longer needs a password to log on to the target account of machine B from machine;

 

Ssh-keygen performs password verification to enable SSH on the target machine. SCP does not need a password.
The specific method is as follows:
Ssh-keygen-T RSA
Then press enter to use the default value.

In this way, a key pair is generated and stored in the user directory ~ /. Ssh.
Test the public key in the user directory of the target machine and copy it ~ /. Ssh/authorized_keys.

Make sure that both. SSH and authorized_keys have write permission only for the user. Otherwise, the verification is invalid. (This is the problem we have encountered today. I have been looking for a long time.) In fact, I think about it carefully to avoid system vulnerabilities.