Use the ssh public key to automatically log on to the linux server, sshlinux

Use the ssh public key to automatically log on to the linux server, sshlinux

As a linux administrator, logging on to multiple Linux servers for remote operations is part of daily work. However, as the number of servers increases, the system will prompt you to enter the user name and password every time you log on. Frequent user name and password input is a very annoying thing. Some people may say that some client tools can be used, such as SecureCRT. It is indeed much more convenient to use these software, but these software is either expensive commercial software or can be installed and used only on a specific platform, so what I introduced today is to use the built-in functions of ssh to achieve the convenience of using client tools, that is, to achieve automatic login using the ssh public key.

Test environment:
Operating System: Red Hat Enterprise Linux AS release 4 (Nahant Update 8)
Software Version: OpenSSH_3.9p1, OpenSSL 0.9.7a
Management server: ip: 192.168.0.1 machine name: server
Managed server: ip: 192.168.0.2 machine name: client

Step 1: generate an ssh public key pair
First, if OpenSSH is not installed, install openssh first. This is a nonsense. OpenSSH software is installed on our linux servers by default.
The public key pair is generated on the Management Server:

 

[Root @ server ~] # Ssh-keygen-B 1024-t rsa Generating public/private rsa key pair. # The system prompts that an rsa key pair is being generated. Enter file in which to save the key (/home/usrname/. ssh/id_dsa) Enter passphrase (empty for no passphrase): # Enter the private key secret and Enter the secret Enter same passphrase again: # prompt again for entering the password for confirmation Your identification has been saved in/home/usrname/. ssh/id_dsa. # The system prompts that the public key and private key have been stored in the/root/. ssh/directory. Your public key has been saved in/home/usrname/. ssh/id_dsa.pub. The key fingerprint is: X6: 68: xx: 93: 98: 8x: 87: 95: 7x: 2x: 4x: x9: 81: xx: 56: 94 root @ server # key fingerprint prompt

 

Brief description:
-B 1024 uses a 1024-byte public/private key pair. The maximum length is 4096 bytes. Generally, 1024 or 2048 is sufficient to meet security requirements, if it is too long, encryption and decryption will take a longer time.
-T rsa uses rsa-encrypted public/private key pairs. In addition to rsa and dsa, the minimum length of rsa is 768 bytes.
For more parameters, see man ssh-keygen.

When generating a key pair, you are asked: Enter the short phrase "Enter passphrase (empty for no passphrase)", and the short phrase "passphrase" is a phrase or sentence used as the password, after the virtual password is generated by the system's internal encryption or hash algorithm, perform the next authentication. The advantage is that security is not easy to crack. I have read many articles and leave this short sentence empty, that is, it means that no password short sentence is used. Here I strongly require you to enter a short password. Some people will say that after using the password short sentence, you have to enter the password short sentence to log in. This is not much easier than using the user name and password to log in. I said please do not worry, and then read my article.
Note: If you generate a key pair without setting a password phrase, if your private key is lost, your troubles may be worse than losing your username and password.

Step 2: Copy your public key to the managed Server
Copy your public key to the user directory on the managed server for automatic login.

 

[Root @ server ~] # Scp. ssh/id_dsa.pub remote_usrname@192.168.0.2: # For example, if you want to use the user peter login, remote_usrname should be replaced by peter

 

Rename and Set permissions
Log on to the managed server, enter the user directory that requires remote login, and put the public key in the. ssh directory of the user directory (if the directory does not exist, you need to create ~ /. Ssh directory, and set the directory permission to 700), change the public key to authorized_keys2, and set the user permission to 600.

 

[Peter @ client ~] $ Ls Id_rsa.pub [Peter @ client ~] $ Mkdir ~ /. Ssh # If the. ssh directory does not exist in the current user directory, create a directory first. [Peter @ client ~] $ Chmod 700 ~ /. Ssh [Peter @ client ~] $ Mv id_rsa.pub ~ /. Ssh [Peter @ client ~] $ Cd ~ /. Ssh [Peter @ client ~] $ Cat id_rsa.pub> authorized_keys2 [Peter @ client ~] $ Rm-f id_rsa.pub [Peter @ client ~] $ Chmod 600 authorized_keys2. [Peter @ client ~] $ Ls-l Total 4 -Rw ------- 1 peter 225 Oct 10 authorized_keys2

 

Test Remote login using key pairs

 

[Root @ server ~] # Ssh peter@192.168.0.2 Enter passphrase for key'/root/. ssh/id_rsa ': # The system prompts you to Enter the password phrase. Enter the password phrase you just set. Last login: Sun Oct 10 11:32:14 2010 from 192.168.0.1 [Peter @ client ~] $

 

If you cannot use the correct logon method, check your authorized_keys2 permissions again. You may also need to check the. ssh directory permissions.

Use ssh-agent (ssh proxy) to automatically enter the password phrase
Keep in mind your "password short sentence". Now you can use your key instead of the password to log on to your server, but there is still nothing to worry about, you still need to enter the "password phrase" of the key ". Is there a simpler method? The answer is to use an SSH-agent, a program that helps you remember the "password phrase. Ssh-agent is the default ssh agent included in OpenSSH.

Log on to the Management Server

 

[Root @ server ~] # Ssh-agent SSH_AUTH_SOCK =/tmp/ssh-vEGjCM2147/agent.2147; export SSH_AUTH_SOCK; SSH_AGENT_PID = 2148; export SSH_AGENT_PID; Echo Agent pid 2148;

 

When you run ssh-agent, it prints out the ssh environment and variables it uses. To use these variables, You can manually declare the environment variables, and run the eval command to automatically declare the environment variables.

Method 1: manually declare Environment Variables

 

[Root @ server ~] # SSH_AUTH_SOCK =/tmp/ssh-vEGjCM2147/agent.2147; export SSH_AUTH_SOCK; [Root @ server ~] # SSH_AGENT_PID = 2148; export SSH_AGENT_PID; [Root @ server ~] # Printenv | grep SSH # Check whether the ssh environment variable has been added to the environment variable of the current session SSH_AGENT_PID = 2148 SSH_AUTH_SOCK =/tmp/ssh-vEGjCM2147/agent.2147

 

Method 2: run the eval command to automatically declare Environment Variables

 

[Root @ server ~] # Eval 'ssh-agent' Edas Agent pid 2157 [Root @ server ~] # Printenv | grep SSH # Check whether the ssh environment variable has been added to the environment variable of the current session SSH_AGENT_PID = 2148 SSH_AUTH_SOCK =/tmp/ssh-vEGjCM2147/agent.2147

 

Now ssh-agent is running, but there is no private key for decryption in the ssh-agent. We want to tell it where we have the private key and where it is. In this case, you need to use the ssh-add command to add our private key to the cache of the ssh-agent.

 

[Root @ server ~] # Ssh-add ~ /. Ssh/id_dsa Enter passphrase for/home/user/. ssh/id_dsa: # Enter your password phrase Identity added:/home/user/. ssh/id_dsa (/home/user/. ssh/id_dsa) [Root @ server ~] # Ssh-add-l # view the cache content of the ssh proxy 1024 72: 78: 5e: 6b: 16: fd: f2: 8c: 81: b1: 18: e6: 9f: 77: 6e: be/root /. ssh/id_rsa (RSA)

 

Enter the password short sentence. Now, you can log on to your remote server without entering your password phrase, and your private key is password-protected. Try it!

 

[Root @ server ~] # Ssh peter@192.168.0.2 Last login: Sun Oct 10 11:32:45 2010 from 192.168.0.1 [Peter @ client ~] $

 

After logging on to the server, remember to turn off the ssh-agent. Otherwise, other users can log on remotely.

 

[Root @ server ~] # Ssh-agent-k Unset SSH_AUTH_SOCK; Unset SSH_AGENT_PID; Echo Agent pid 2148 killed; [Root @ server ~] # Ssh-add-l # check that the key is no longer in the cache. The agent has no identities.

 

Well, it's a good deal. Of course, if you manage a large number of servers (the number of servers is greater than or equal to two digits), it may be a hard job to upload the public key for the first time, however, in the future, you will be able to understand the convenience of Automatic Login of this public key in the maintenance work.

This article from the "seedling" blog, please be sure to keep this source http://7056824.blog.51cto.com/69854/403669