Shulou(Shulou.com)06/02 Report--

SSH protocol syntax format

For user accounts with shell login privileges, you can access the Git version library using the following syntax:

Syntax 1: ssh:// [@] [:] / home/xxx/repo1.git

Syntax 2: [@]: / home/xxx/repo1.git

Note:

SSH protocol address format can be written in two different ways, the first is to use the standard SSH protocol URL at the beginning of ssh://, and the second is SCP format. The URL of the SSH protocol standard is a bit complicated, but for non-standard SSH ports (non-22), the port number can be given directly in URL.

Is the user account on the server, and if the user name is omitted, the user name of the currently logged-in user is used (except if the host alias is configured and used).

Is the SSH protocol port, which defaults to 22. When a non-default port is used, it is best to use syntax 1. Of course, you can also use Syntax 2, but set the host alias through the ~ / .ssh/config configuration file.

The path / home/xxx/repo1.git is the absolute path to the version library in the server. If you use a relative path, it is relative to the home directory of the username user.

If you use password authentication, you must enter a password each time you connect.

If public key authentication is used, there is no need to enter a password.

Comparison of server erection methods

The SSH protocol has two ways to implement Git services. The first is to access the version library using a standard SSH account. That is, the user account can log in directly to the server to obtain shell. For this way of using a standard SSH account, just use the standard SSH service directly.

The second way is that all users use the same dedicated SSH account to access the version library through public key authentication. Although all users access with the same account, different user identities can be distinguished by the different public keys used to establish the connection. Gitolite is the server software that implements this way.

The difference between standard SSH account and dedicated SSH account:

Standard SSHGitolite account one account per user all users share the same account authentication password or public key authentication login to shell is not safe whether the administrator needs shell whether the version library path relative path or absolute path relative path authorization user group and directory permissions in the operating system are authorized through configuration files no Gitolite path write authorization No Gitolite assumes that the degree of difficulty is simple and complex

In fact, standard SSH can also use public key authentication to use users to share the same account, but this is similar to telling multiple people the login password of a public account at the same time. The specific operations are as follows:

1. Create a public account, such as sparker, on the server side.

two。 The administrator collects the user public key that needs to access the git service. Such as user1.pub,user2.pub.

3. Use the ssh-copy-id command to remotely add the public keys of each git user to the server's public key authentication list.

3.1. Remote operation, you can use the ssh-copy-id command.

$ssh-copy-id-I user1.pub sparker@server

$ssh-copy-id-I user2.pub sparker@server

3.2. If you operate directly on the server, append the file directly to the authorized_keys file.

$cat user1.pub > > ~ sparker/.ssh/authorized_keys

$cat user2.pub > > ~ sparker/.ssh/authorized_keys

4. By establishing the git library under the sparker user's home directory on the server side, multiple users can access the git service using the same system account (sparker).

In addition to not having to set up accounts one by one and users do not need password authentication, standard SSH has many disadvantages in deploying git services, and because it is impossible to distinguish users, it is impossible to authorize users.

SSH public key authentication

In order to achieve public key authentication, the client side of the authentication needs to have two files, namely the public key / private key pair. In general, the public / private key pair file is created in the .ssh directory under the user's home directory. If the .ssh directory does not exist in the user's home directory, the SSH public / private key pair has not been created. You can create it with the following command:

$ssh-keygen

This command creates a .ssh directory under the user's home directory and creates two files in it:

1. Id_rsa

The private key file, which is based on the RSA algorithm, must be kept safe and secret.

2. Id_rsa.pub

The public key file is paired with the id_rsa file, which can be exposed as a public key file.

Once you have created your own public / private key pair, you can use the following command to log in to the remote server without a password (that is, replace password authentication with public key authentication).

$ssh-copy-id-I. ssh / id_rsa.pub @

Note:

The command prompts the user to enter user's SSH login password on server.

After the successful execution of this command, when the user user logs in to the server remote host with the ssh command, you can log in directly without entering a password.

This command actually appends the .ssh / id_rsa.pub public key file to the .ssh / authorized_keys file under the user home directory of the remote host serve r.

Check whether the public key authentication is valid, and connect to the remote host through the ssh command. Normally, you should log in successfully. If a password is required, there is a problem with the public key authentication configuration. If there is a problem with SSH login, you can diagnose it by looking at the / var/log/auth.log file on the server side.

SSH host alias

In practical use, it is sometimes necessary to use multiple public / private key pairs, such as:

1. Using the default public key to access the server's git account, you can execute the git command, but you cannot log in to shell.

two。 Using the specially created public key to access the git account of the server, you can obtain shell, and after logging in, you can upgrade and maintain the Git server software.

3. Access the Github using a different public key (other than the default public key).

As can be seen from the above instructions, the user may have more than one set of public / private key pairs. To create different public / private key pairs, you need to specify different private key names with the-f parameter when using the ssh-keygen command. The specific usage is as follows:

$ssh-keygen-f ~ / .ssh/

Please replace with a meaningful name. After the command is executed, the specified public / private key pair is created in the ~ / .ssh directory: the file is the private key and the file .pub is the public key.

Add the newly generated public key to the .ssh / authorized_keys file under the remote host login user's home directory, and you can use the newly created public key to establish a password-less login to the remote host's account. Do the following:

$ssh-copy-id-I. ssh / .pub @

Now that the user has multiple public / private key pairs, which public key is used when executing the following ssh login command?

$ssh @

The default public key ~ / .ssh/id_rsa.pub, of course. So how do you connect to server with the newly created public key?

SSH's client configuration file ~ / .ssh / config can choose to use a specific public key when connecting to the host by creating a host alias. For example, the following configuration in the ~ / .ssh/config file:

Host abc

User git

Hostname abc.xxx.com

Port 22

Identityfile / .ssh/abc

Note that hostname can also be written as IP.

Then execute the following SSH login command:

$ssh abc

Or execute the git command:

$git clone abc:/home/abc/repo1.git

Although the two commands are different, both use the SSH protocol and the same host alias: abc. Referring to the CVM alias established in the ~ / .ssh/config file above, you can make the following judgment:

1. The SSH hostname logged in is abc.xxx.com.

two。 The user name used when logging in is git.

3. The public key file used for authentication is ~ / .ssh / abc.pub.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.