Shulou(Shulou.com)06/02 Report--

When we usually use Linux system, the usual Linux SSH login method is the login method of user name and password. Today, we will explore another relatively secure login method-key login.

We know that SSH login uses RSA asymmetric encryption, so we can log in with RSA key when we log in to SSH. SSH has a tool for creating SSH keys, ssh-keygen, so let's take a look.

First of all, go to the user directory of the Linux system and check that there is no so-called key folder.

There are two commands to be used here. One is ssh-keygen and ssh-copy-id. The specific options for these two commands are as follows:

The parameter options available for ssh-keygen are:

-a trials

The basic number of tests to be performed when using-T to securely filter DH-GEX candidate primes.

-B displays the bubblebabble summary of the specified public / private key file.

-b bits

Specifies the key length. For RSA keys, the minimum requirement is 768 bits, and the default is 2048 bits. The DSA key must be exactly 1024 bits (required by the FIPS 1862 standard).

-C comment

Provide a new comment

-c requires that the comments in the private and public key files be modified. Only RSA1 keys are supported in this option.

The program will prompt for the private key file name, password (if any), and new comments.

-D reader

Download the RSA public key stored in the smart card reader.

-e reads the private key or public key file of OpenSSH and displays it on stdout in RFC SSH public key file format.

This option can output keys for a variety of commercial versions of SSH.

-F hostname

Searches the known_hosts file for the specified hostname and lists all matches.

This option is mainly used to find the hashed hostname / ip address, and can also be used with the-H option to print the hash value of the public key found.

-f filename

Specifies the key file name.

-G output_file

Generate candidate primes for DH-GEX. These primes must be securely filtered using the-T option before using them.

-g uses the common DNS format when printing fingerprint resource records using-r.

-H hashes the known_hosts file. This replaces all hostnames / ip addresses in the file with the corresponding hash values.

The contents of the original file will be saved after adding a ".old" suffix. These hash values can only be used by ssh and sshd.

This option does not modify the hostname / ip address that has been hashed, so it can be safely used on files where some of the public keys have been hashed.

-I read the unencrypted SSH-2-compatible private / public key file, and then display the OpenSSH-compatible private / public key in stdout.

This option is mainly used to import keys from multiple commercial versions of SSH.

-l displays the fingerprint data of the public key file. It also supports the private key of RSA1.

For RSA and DSA keys, the corresponding public key file is found and its fingerprint data is displayed.

-M memory

Specifies the maximum memory usage (MB) when generating DH-GEXS candidate primes.

-N new_passphrase

Provide a new secret word.

-P passphrase

Provide (old) secret words.

-p requires that the password of a private key file be changed without rebuilding the private key. The program will prompt for the file name of the private key, the original password, and enter the new password twice.

-Q quiet mode. Used when creating a new key in / etc/rc.

-R hostname

Delete all keys that belong to hostname from the known_hosts file.

This option is mainly used to delete the keys of hashed hosts (see the-H option).

-r hostname

Prints the SSHFP fingerprint resource record of the public key file named hostname.

-S start

Specifies the starting point (hexadecimal) when generating DH-GEX candidate modules.

-T output_file

Test the security of Diffie-Hellman group exchange candidate primes (generated by the-G option).

-t type

Specifies the type of key to create. You can use: "rsa1" (SSH-1) "rsa" (SSH-2) "dsa" (SSH-2)

-U reader

Upload the existing RSA private key to the smart card reader

-v detailed mode. Ssh-keygen will output detailed debugging information about the process. It is often used to debug the module generation process.

Reusing multiple-v options will increase the level of detail of the information (up to 3 times).

-W generator

Specify the generator you want to use when testing candidate modules for DH-GEX

-y reads the public key file in OpenSSH proprietary format and displays the OpenSSH public key on stdout.

The parameters of sh-copy-id are:

-I # specify key file

-p # specifies the port, the default port number is 22

-o

User@] hostname # username @ hostname

-f: force mode-- copy keys without trying to check if they are already installed

-n: dry run-- no keys are actually copied

-h | -?: show help

Next we create a secret key and use ssh-keygen-t rsa to generate an asymmetric key for rsa.

I set a relatively simple 5-digit password as a test, 12345.

Then go to the account's home directory and use ls-a to check that you have seen that the key folder has been generated.

Then go to the key folder and see the file of the generated private key and secret key.

Then use the ssh-copy command to push the public key to the host you want to log in to. The specific command format is: ssh-copy-id-I specifies the user name @ IP address of the push public key file.

Then we use our root account to log in to each other's mainframe. Here prompts you to enter the password of the secret key, instead of asking you to enter the password of the other party's ROOT account, now such a key login function has been implemented.

Whether it is entering the secret key password or entering the password of the other party's root account, there is a need for human-computer interaction, how to achieve human-computer interaction? Use the ssh-agent bash and ssh-add commands here.

Finally, try to log in to each other's host with the root account and find that the interactive login-free function has been realized. In fact, there is a more convenient way to achieve the interactive login function, which is not to enter any password when setting the password, that is, to create an empty password, and then directly copy it.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.