Shulou(Shulou.com)06/01 Report--

It is necessary to first understand what is SSH and what is SSH key.

SSH

Secure Shell (SSH) is a network protocol that allows data exchange between two computers over a secure connection. The confidentiality and integrity of the data are guaranteed by encryption. SSH uses public key encryption to authenticate remote hosts and, if necessary, allow remote hosts to authenticate users.

Traditional FTP and Telnet transmit data, user account and password in clear text in the network, which is easy to be affected by the middleman.

SSH is currently a reliable protocol designed to provide security for remote login sessions and other network services. The use of SSH protocol can effectively prevent information leakage in the process of remote management. Through SSH, all transmitted data can be encrypted and DNS spoofing and IP spoofing can be prevented.

SSH is just a protocol, and its open source implementation is the OpenSSH program.

SSH server and client programs

OpenSSH (OpenBSD Secure Shell) is a set of computer programs that provide encrypted communication sessions through a computer network using the ssh protocol.

If you need to be the server of ssh, you need to install openssh.

If you are only a ssh client, you can use the ssh command directly in Linux.

The ssh client programs in Windows are:

PuttyPuTTY Tray (enhanced version of Putty) Bitvise's ssh client (multi-feature, free) Xshell (multiple versions exposed in 2017) SecureCRT (forget it) Cmder (open source command line tool, and integrates Git for Windows and multiple Unix commands, the use of cmder can be seen in Cmder-ssh agent configuration in the brief book) SSH Key

The most intuitive effect of SSH key pairs: it makes it easy for you to log in to the SSH server without entering a password. Since you do not need to send your password to the network, SSH key pairs are considered to be a more secure way.

The reason is that SSH uses SSH Key for the key-based security authentication mentioned earlier.

To use SSH key:

Generate SSH key (key pair: public key and private key) on the client side and add your public key to the server configuration file. (for example, we need to paste your public key in GitHub) generate a key pair

The ssh-keygen command is used to generate, manage, and transform authentication keys for ssh, which supports both RSA and DSA authentication keys.

Options for this command:

-b: specify key length;-e: read openssh's private key or public key file;-C: add comments;-f: specify the file name to hold the key;-I: read unencrypted ssh-v2-compatible private / public key files and then display openssh-compatible private / public keys on standard output devices;-l: display fingerprint data of public key files;-N: provide a new password;-P: provide (old) password -Q: silent mode;-t: specifies the type of key to create.

When generating a key pair, there is an option that requires you to set a passphrase, which is the password used to protect your private key. If set, you will be asked to enter this password when using the private key; generally do not set, can not remember [you can change this password later, use ssh-keygen-p].

It is best to back up the private key after generation. There is also the-C option, which is used to specify comments for, usually using your own email name as a comment.

-b bits option Specifies the number of bits in the key to create. For RSA keys, the minimum size is 1024 bits and the default is 2048 bits. Generally, 2048 bits is considered sufficient. DSA keys must be exactly 1024 bits

Example: for security reasons, use RSA encryption and specify the key length-b 2048 (1024 of the key length can be cracked, it is recommended to specify 2048 or 4096).

$ssh-keygen-t rsa-C "your_email@example.com"-b 2048Generating public/private rsa key pair.Enter file in which to save the key (/ Users/your_user_directory/.ssh/id_rsa): press enter key (enter / home/users/.ssh/filename if you need to generate multiple pairs of key) Enter passphrase (empty for no passphrase): enter a password (generally do not enter a password) (enter directly) Enter same passphrase again: enter the password again. # View the contents of the public key file $cat ~ / .ssh/id_rsa.pubssh-rsa "public key content" your_email@example.com# Note when importing the public key elsewhere, be sure to import all the contents of the public key file, including your mailbox at the end.

An example of a practical operation:

[fan 16:10:57] ~ $ssh-keygen-t rsa-C "Fan@outlook.com"-b 2048Generating public/private rsa key pair.Enter file in which to save the key (/ home/fan/.ssh/id_rsa): / home/fan/.ssh/FDGitHub_rsaEnter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in / home/fan/.ssh/FDGitHub_rsa.Your public key has been saved in / home/fan/.ssh/FDGitHub_rsa.pub Key fingerprint is:SHA256:GcK7ORvFzH6fzA7qPmnzBr1DOWho5cCVgIpLkh7VGb8 Fan@outlook.comThe key's randomart image is:+--- [RSA 2048]-+ |. +. | | + o. O | | o.. Oo.. | | + o. + *. O | | +.. E.=So. |. Oval = = |. =.. + oo | | + = oval =. | |. + = .o * | +-[SHA256]-+ |

The public key is a long string of characters; in order to facilitate naked eye comparison and recognition, there is a fingerprint; the fingerprint has a short number of digits, is easier to identify and corresponds to the public key one by one.

There are two forms of public key encryption fingerprint fingerprint:

The previous hexadecimal form: 16:27:ac:a5:76:28:2d:36:63:1b:56:4d:eb:df:a6:48 now uses a sha256 hash and uses base64 for format: SHA256:nThbg6kXUpJWGl7E1IGOCspRomTxdCARLviKw6E5SY8

One of the uses of fingerprints is that when you connect to a host for the first time using SSH, the fingerprint of the public key used by the host is returned for you to identify. Example:

The authenticity of host 'some hostname' can't be established.RSA key fingerprint is SHA256:nThbg6kXUpJWGl7E1IGOCspRomTxdCARLviKw6E5SY8.Are you sure you want to continue connecting (yes/no)?

A brief introduction:

The public key is used to encrypt files for others. A public key is a lock, which you give to someone else, and after he locks something with it, no one but yourself has a key (private key) and cannot open it. The private key of the pair is the key.

You must make sure that the person who uses your public key knows clearly that the public key must be yours. You can publish your public key on the website or in other ways so that others can confirm it. Because the public key is very long, there are corresponding fingerprints (fingerprints are easier to identify and have fewer digits), which can be compared by fingerprints (published fingerprints).

How to create multiple ssh key instead of overwriting the default file

Instead of using the default path and file name, enter your own path and file name when you create the ssh key.

Or use-f to specify the file name

Ssh-keygen-t rsa-C "your_secondemail@email.com"-f ~ / .ssh/second-rsa uses a non-default SSH key

For the OpenSSH client (the default installation of Linux), you need to configure it in the ~ / .ssh/config file (or create one if you don't have one).

It is divided into the following two situations.

1. Configure different SSH key for the same user on different servers

Well, here the same user can use the same SSH key on different servers.

Working with non-default SSH key pair paths

For example, the public key (Public SSH keys) you pasted on GitLab is not the default key pair; if you want your ssh client to communicate with the GitLab server properly, you must configure ssh client to use which private key (SSH private key) to use when the communication object is the GitLab server host.

Note: it is also possible to use public keys here.

Example:

# GitLab.com serverHost gitlab.com# if prompted: Unsupported option "rsaauthentication", you can choose to comment out the line RSAAuthentication yesIdentityFile ~ / .ssh / private-key-filename-01# Private GitLab serverHost gitlab.company.comRSAAuthentication yesIdentityFile ~ / .ssh/private-key-filename

For GitLab, etc.: the SSH public key uploaded to the GitLab server can only belong to a single user, and your SSH key is the identifier when you push the code through SSH; it needs to be uniquely mapped to a single user. That is, a public key can only be used by one account on the server; but you can use the same key pair on different servers, or you can use different key pairs on different servers.

GitHub uses a non-default key pair:

Host github.comRSAAuthentication yes# can also use the public key IdentityFile ~ / .ssh/FDGitHub_rsa.pub

After the configuration is complete, you can test the connection using the following command:

# replace example.comssh-T git@example.com# such as gitlabssh-T git@gitlab.com#, such as githubssh-T git@github.com#, such as codingssh-T git@git.coding.net#, such as Code Cloud ssh-T git@gitee.com# bitbucketssh-T git@bitbucket.org#, you can also use the following command to debug the connection ssh-Tv git@example.com

If the following prompt appears during testing: Unsupported option "rsaauthentication", you can choose to ignore or comment out the RSAAuthentication yes line in the configuration file.

two。 Configure multiple accounts

Configure different accounts for the same server. For example, if you have two accounts on coding, you can configure them in the config file like this:

# codingHost git.coding.netUser your_email@example.comPreferredAuthentications publickeyIdentityFile ~ / .ssh/id_rsa / / default private key # secondHost git.coding.netUser youre_secondemail@example.comPreferredAuthentications publickeyIdentityFile ~ / .ssh/second_rsa / / generated second private key SSH agent

The ssh-agent command is a program that controls the private key used for public key authentication. In Linux, ssh-agent starts at the beginning of an X session or login session, and all other windows or programs start as client programs and join the ssh-agent program. By using environment variables, you can locate the agent and use the agent to automatically authenticate when logging on to other machines that use ssh.

In fact, ssh-agent is a key manager. After running ssh-agent, use the ssh-add command to give the private key to ssh-agent for safekeeping. When other programs need authentication, they can send the authentication application to ssh-agent to complete the whole authentication process.

In addition, if your private key is encrypted with a passphrase, you must enter the correct passphrase every time you log in with a SSH key pair. The SSH agent program can cache your decrypted private key and provide it to your SSH client when needed. In this way, you only need to enter the passphrase once when adding the private key to the SSH agent cache. This provides a lot of convenience for your frequent use of SSH connections.

There are many SSH agent for you to choose from, we will introduce you to several commonly used SSH agent, you can choose according to your needs.

Ssh-agent is a SSH agentGnuPG agent that comes with OpenSSH and may want GnuPG to cache your private key. Of course, some users prefer to enter PIN codes in the GnuPG dialog box, so managing passphrases is also a good choice. Problems brought by ssh agent

I haven't encountered any problems caused by ssh-agent in Linux. I'll talk about the related problems when using ssh in Windows.

When you try to authenticate through SSH, you may see the following error message:

When trying to use Git for clone, push, or pull over the SSH protocol, if Github cannot authenticate using the key provided by SSH agent, you may receive one of the following messages:

Permission denied (publickey) No suitable response from remoterepository access denied

Possible reasons:

Your public key has not been added to the server.

Your key is not loaded into ssh agent. (if your SSH agent does not know to provide a key for Bitbucket, the connection will fail. You may encounter this problem if you recently restarted the system. ) solution:

Check to see if the corresponding ssh key is loaded: if ssh-add-l is not loaded, use the following command to load the private key # followed by multiple private keys ssh-add ~ / .ssh/ if prompted "Could not open a connection to your authentication agent." Your ssh agent is not running; run ssh agent with the following command, and then use the ssh-add command to add your ssh key. # macOS/Linux$ eval `ssh- agent` # $eval $(ssh-agent) in git-bash in Windows

Another thing to note is that instead of running multiple ssh agent at the same time, you can view it through the task manager or the ps command.

Why is SSH used in using SSHGithub/GitLab in Github/GitLab?

Using the SSH protocol, you can connect and authenticate to remote servers and services. With SSH keys, you can connect to GitHub without supplying your username or password at each visit.

Using the SSH protocol, you can connect and authenticate remote servers and services.

Using the SSH key, you can connect to the GitHub without having to provide a user name or password on each visit.

Import SSH Key in GitHub/GitLab

SSH Key import: the import process is relatively simple.

GitHub: click user avatar > Setting > SSH and GPG keys > New SSH key > paste the public key you generated (the simple way is to open the public key file with a text editor and copy it).

When accessing the remote repository, you can choose SSH or HTTPS protocol for access.

(for example, for security authentication with a gitlab remote warehouse, you can choose to use ssh or https), in the form of both:

SSH git@gitlab.com:faner/test01.gitHTTPS https://gitlab.com/faner/test01.git

When you select HTTPS, you will see that it has the following prompt "Create a personal access token on your account to pull or push via Https" which simply translates as "create a personal access token on your account to pull or push through Https" and will ask you to enter the user name and password of gitlab the first time you push the local warehouse to the remote warehouse.

Lesson: due to a configuration error in my ssh's config file and ssh-agent not running, there was an error when I selected git@gitlab.com:faner/test01.git (the situation was that I could not authenticate with ssh)

I tried to use the https://gitlab.com/faner/test01.git path of https, and then asked me to enter my password and connect successfully.

So now that you have set the SSH key, you can use SSH's URL the next time you clone the repository. If you already have a repository cloned through HTTPS, you can change the repository's remote URL to its SSH URL.

In terms of user operation, HTTPS requires the user to enter the user name and password of the remote warehouse, such as the account number and password of gitlab; SSH does not need to enter the user and password.

Question: does the mailbox used to generate ssh key need to be the same as the mailbox set up by local git?

The user name and mailbox configured in the local git are exposed to the GitHub along with the commit log, rather than the mailbox used to generate the ssh key.

Learning materials

The best way to learn about SSH is to see the entry in Wikipedia: Secure Shell-Wikipedia, Free Encyclopedia

Here is a partial quote:

Middleman *: there is another person or a machine pretending to be a real server to receive the data sent by the user to the server, and then pretending to be the user to send the data to the real server.

The most important parts of the SSH protocol framework are three protocols:

Transport layer Protocol (The Transport Layer Protocol): transport layer protocol provides support for server authentication, data confidentiality, information integrity, etc. User Authentication Protocol (The User Authentication Protocol): the user authentication protocol provides client authentication for the server. Connection protocol (The Connection Protocol): the connection protocol multiplexes encrypted information tunnels into several logical channels for use by higher-level application protocols.

From the client side, SSH provides two levels of security authentication:

The first level (password-based security authentication), knowing the account number and password, can log in to the remote host, and all transmitted data will be encrypted. However, there may be other servers pretending to be real servers, unable to avoid being "middleman". The second level (key-based security authentication) relies on the key, that is, you must create a pair of keys for yourself and put the public key on the server you need to access. The client software will send a request to the server for security authentication with your key. After the server receives the request, you look for your public key in the user root of the server, and then compare it with the public key you sent. If the two keys match, the server encrypts the challenge with the public key and sends it to the client software. In order to avoid being "middleman".

On the server side, SSH also provides security authentication:

In the first scheme, the host distributes its own public key to the relevant client, the client uses the host's public key to encrypt the data, and the host uses its own private key to decrypt the data. thus the host key authentication is realized to ensure the confidentiality of the data. In the second scheme, there is a key authentication center, and all the hosts providing services submit their public keys to the authentication authority, while any host as a client only needs to keep a copy of the public key of the authentication authority. In this mode, the client must access the authentication authority before it can access the server host.

Must see: Secure Shell-Wikipedia, free encyclopedia

For more information, please refer to: SSH keys (simplified Chinese)

Actual combat: Connecting to GitHub with SSH

Readme Ssh Help GitLab

Configure SSH Public key access Code Repository-CODING help Center

Various ssh-related problems and solutions are listed on Bitbucket: Troubleshoot SSH issues-Atlassian Documentation

Several SSH articles that are strongly recommended:

Ruan Yifeng:

Principle and Application of SSH (1): remote login

Principle and Application of SSH (2): remote Operation and Port forwarding

Asrchlinux wiki:

Secure Shell (simplified Chinese)

SSH keys (simplified Chinese)

From my brief book: faner-brief book

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.