Use the putty (ssh) Key to securely log on to the server

Source: Internet
Author: User
Tags ssh server

Step 1: generate a key
Run puttygen.exe and select the required key type (parameters) and length (bits ). Putty uses the SSH1 protocol by default. The default length is 1024,

We will use the SSH1 protocol for the time being. We will discuss the differences between the SSH2 protocol and the SSH1 protocol.

Click Generate to Generate the Key. The generated Key passphrase and Confirm passphrase can be left blank. passphrase is the password used to protect the private Key. If there are no special security requirements, you can skip this step, otherwise, you need to enter the password again during logon. If passphrase is input, you can log on to the system automatically. Click Save public key and Save private key to Save the public key and private key, for example, id_rsa1.pub and id_rsa1.prv.

Step 2: Upload the key
Log on to the remote system with your account and run the following command:
Cd ~
Mkdir. ssh

Chmod 700. ssh
Cat id_rsa1.pub>. ssh/authorized_keys

Chmod 600. ssh/authorized_keys

Step 3: Set Putty
Start Putty, set the parameters of the session (such as IP address and protocol select SSH), and then select SSH on the left, "Preferred SSH protocol version :",

In this case, we use the SSH1 protocol, so we will select Protocol Version 1, then "SSH-> Auth", "Private key file for authentication:" click the Browse button, and select the id_rsa1.prv file.
Select the Session on the left and click Save to Save the modification. Click the Open button to log on.
If there are no problems with the above operations, then the system should automatically log on without entering the password. Normally, the following information is displayed:

Login as: root

Authenticating with public key "rsa-key-20050328"

Last login: Mon Mar 28 14:39:13 2005 from 192.168.0.2

With the information in the second line above, it indicates that you have enabled SSH communication properly.

========================================================== ====================================
Other problems:

1. Use SSH2 protocol

If you want to use the SSH2 Protocol, you need to modify the/etc/ssh/ssh_config file and remove the # character before the line # Protocol 2, 1. The default value is ssh2,

In ssh1 mode, it is okay not to remove the # annotation.

Use puttygen.exe to Generate Keys in the SSH2 protocol format (the operation method is the same as above). When uploading keys to the. ssh/authorized_keys file, you need to make the following changes,

The format of the SSH2 key generated by puttygen.exe and bsd/Linux is different.

For example, the Public Key generated by puttygen.exe is id_rsa2.pub.

[Root @ mail. ssh] # cat id_rsa2.pub

---- BEGIN SSH2 public key ----

Comment: "rsa-key-20050328"

Bytes

41LXw3DR2/7 + aBQNYDez3BWkGIluyfuyWYlw21bEzUiJhJ9/8tX5FUJLBYr/ELtq

Bytes

ZB4qUfM =

---- END SSH2 public key ----

The ssh2 format generated by BSD/Linux is


[Root @ linuxwht. ssh] # cat id_rsa.pub

Ssh-rsa AAAB3NzaC1yc2EAAAABIwAAAIEAsD4qEibcK1e9ZgFX6bahxnU/It5MjC/7U56n

OOZ0MDf + LHU7bWo3M6XH/mp1KeTRrHIPtmEl2PTkf9/3 NffNtBdAkSJ/sWoPoaeJlShcvK2

WzOsrre4FyJRRUtl2jdCDJxRX0Cu2GV/aNphVQoAuU0lj7/55eladpO8/jr14adE =

So you can change the format according to the default Linux format.

If puttygen.exe is not available, you can use the ssh-keygen provided by bsd/linux to generate a key. The command format is as follows:
Ssh-keygen-B key length-t key type
Key types can be: rsa1 (corresponding to SSH1 RSA), rsa and dsa (corresponding to SSH2)

For example, ssh-keygen-B 1024-t rsa

Generated by default ~ /. Ssh/id_rsa file.

However, the format of the SSH2 key generated by ssh-keygen is different from that generated by putty and cannot be used directly. You must use puttygen.exe to convert the key.

So we are still using rsa1, so there is no difference in general use.

2. Let Putty display Chinese Characters

Start putty

Windows-> appearance-> font setting-> change...

Set the default font of putty to "".

After connecting to the server, enter:

Export LANG = zh_CN.GB2312

Change environment variables.


3. Set passphrase to enable automatic system logon.

Open pageant.exe, right-click the pageant.exe icon in the lower right corner, and click "add key". Select the generated private key, such as id_rsa2.ppk, OK,

You only need to open pageant.exe, and then the system can automatically log on without entering passphrase.

The function of pageant is to put the private key for encryption in the memory and call it as needed.

 

========================================================== ====================================

Possible problems:

1. Server refused our key
The public key does not match the private key, or the authorized_keys file does not exist.

Solution: Use puttygen.exe to Generate Keys in ssh2 format different from those in Linux,

Follow the above changes (just add ssh-rsa.

2. Unable to use key file "id_rsa1.prv" (SSH1 private key)
Incorrect private key file format or incorrect logon type
Solution: When the putty à SSH option is enabled, "Preferred SSH protocol version:". If you use the SSH1 protocol,

Select "1". If you use SSH2, select "2". Most of the keys generated by you are SSH1 protocol,

The putty logon type is protocol 2.


------------------------------------------------


SSH: Secure Shell protocol


I. Introduction to SSH

What is SSH?

Traditional network service programs, such as ftp, pop, and telnet, are inherently insecure because they transmit passwords and data in plain text on the network, people with ulterior motives can easily intercept these passwords and data. In addition, the security authentication methods of these service programs also have their weaknesses, that is, they are vulnerable to man-in-the-middle attacks. The so-called "man-in-the-middle" attack means that "man-in-the-middle" impersonates a Real Server to receive the data you send to the server, and then impersonates you to pass the data to the Real Server. When the data transfer between the server and you is transferred by a man-in-the-middle, a serious problem may occur.

The full name of SSH is Secure Shell. By using SSH, You can encrypt all transmitted data so that the "man-in-the-middle" attack method is impossible and can also prevent DNS and IP spoofing. Another advantage is that the data transmitted is compressed, which can speed up transmission. SSH has many functions. It can replace telnet and provide a secure "channel" for ftp, pop, and even ppp ".

SSH was initially developed by a Finnish company. However, due to copyright and encryption algorithm restrictions, many people have switched to OpenSSH. OpenSSH is an alternative to SSH and is free of charge. It is expected that more and more people will use it instead of SSH in the future.

SSH is composed of the client and server software. There are two incompatible versions: 1.x and 2.x. The client program using SSH 2.x cannot connect to the service program of SSH 1.x. OpenSSH 2.x supports both SSH 1.x and 2.x.

How does SSH security authentication work?

From the client perspective, SSH provides two levels of security authentication.

Level 1 (password-based security verification) you can log on to the remote host as long as you know your account and password. All transmitted data is encrypted, but it cannot be guaranteed that the server you are connecting to is the server you want to connect. Other servers may pretend to be real servers, that is, being attacked by man-in-the-middle.

The second level (key-based security verification) depends on the key, that is, you must create a pair of keys for yourself and put the public key on the server to be accessed. If you want to connect to the SSH server, the client software will send a request to the server, requesting your key for security verification. After receiving the request, the server first looks for your public key in the home directory of the server, and then compares it with the public key you sent. If the two keys are consistent, the server uses the public key to encrypt the challenge and send it to the client software. After the client software receives a question, it can use your private key to decrypt it and then send it to the server.

In this way, you must know your key password. However, compared with the first level, the second level does not need to transmit passwords over the network.

The second level not only encrypts all transmitted data, but also the "man-in-the-middle" attack method is impossible (because he does not have your private key ). However, the entire logon process may take 10 seconds.

 

SSH consists of three parts:


Transport Layer Protocol [SSH-TRANS] provides server authentication, confidentiality and integrity. In addition, it sometimes provides the compression function. A SSH-TRANS typically runs on a TCP/IP connection and may also be used on other reliable data streams. SSH-TRANS provides strong encryption technology, password Host Authentication and Integrity protection. The authentication in this Protocol is based on the host and does not perform user authentication. Higher-level user authentication protocols can be designed on top of these protocols.

User Authentication Protocol [SSH-USERAUTH] is used to provide client user authentication to the server. It runs on the transport layer protocol SSH-TRANS. When

When the SSH-USERAUTH starts, it receives session identifiers from low-level protocols (from swap hash H in the first key exchange ). The session identifier uniquely identifies the session and applies to the tag to prove the ownership of the private key. SSH-USERAUTH also needs to know whether low-level protocols provide confidentiality protection.

Connection Protocol [SSH-CONNECT] divides multiple encrypted tunnels into logical channels. It runs on the user authentication protocol. It provides interactive logon routes, remote command execution, forwarding TCP/IP connections, and forwarding X11 connections.

Once a secure transport layer connection is established, the client sends a service request. After the user authentication is complete, the second service request is sent. This allows the newly defined protocol to coexist with the preceding protocol. The connection protocol provides a wide range of channels with standard methods for establishing secure interactive session casings and forwarding ("tunneling technology") Proprietary TCP/IP ports and X11 connections.

By using SSH, You can encrypt all transmitted data so that the "man-in-the-middle" attack method is impossible.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.