Shulou(Shulou.com)06/01 Report--

This article mainly introduces how to use ssh public key to log in to linux, the article is very detailed, has a certain reference value, interested friends must read it!

When we usually use Linux system, the usual Linux SSH login method is the login method of user name and password. Today, we will explore another relatively secure login method-key login. We know that SSH login is encrypted with RSA asymmetric encryption, so we can log in with RSA key when we log in to SSH. SSH has a tool for creating SSH keys, ssh-keygen.

Step 1: generate ssh public key pair

First of all, if you do not install OpenSSH, please install it first. Our current linux servers install openssh software by default. The generation of public key pairs is generated on the management server:

[root@server ~] # ssh-keygen-b 1024-t rsaGenerating public/private rsa key pair.# prompt that the rsa key pair Enter file in which to save the key (/ home/usrname/.ssh/id_dsa) is being generated: # query the location of the public key and private key, and enter Enter passphrase (empty for no passphrase): # enter the private key password by default Enter password Enter same passphrase again:# prompt for password again confirm Your identification has been saved in / home/usrname/.ssh/id_dsa.# prompt public key and private key have been stored in / root/.ssh/ directory Your public key has been saved in / home/usrname/.ssh/id_dsa.pub.The key fingerprint is:x6:68:xx:93:98:8x:87:95:7x:2x:4x:x9:81:xx:56:94 root@server# prompt key fingerprint

To explain briefly:-b 1024 uses a public / private key pair with a length of 1024 bytes, with a maximum of 4096 bytes, usually 1024 or 2048 is enough to meet security needs, and the time required for encryption and decryption will increase if it is too long. -t rsa uses the public key / private key pair encrypted by rsa. In addition to rsa, there are also dsa methods, and the minimum length of rsa method is not less than 768 bytes. If you need to use more parameters, please refer to man ssh-keygen.

In the process of generating the key pair, you are asked: enter the password short sentence Enter passphrase (empty for no passphrase), the password short sentence (passphrase) is you use a phrase or a sentence as the password input, and then by the system internal encryption or hashing algorithm to generate the virtual password, for the next step of authentication. The advantage is that the security is enhanced and not easy to crack. I have read a lot of articles, in which I enter this short sentence as empty, which means that I do not use password phrases. Here I strongly urge you to enter a password phrase. Some people will say that after using a password phrase, login should also enter a password phrase so that it is not much more convenient than using a user name and password to log in. I said, please don't worry, and then read my article. Note: if you generate a key pair without setting a passphrase, then if your private key is lost, your trouble may be worse than losing your username and password.

Step 2: copy your public key to the managed server

Copy your public key on your management server to the user directory on the managed server where you want to log in automatically.

[root@server ~] # scp .ssh / id_dsa.pub remote_usrname@192.168.0.2:# for example, if you want to log in using user peter, please use peter instead of remote_usrname

Renaming and permission setting

Log in to the managed server, go to the user directory that requires remote login, place the public key in the .ssh directory of the user directory (if the directory does not exist, create a ~ / .ssh directory and set the directory permissions to 700. rename the public key to authorized_keys2, and set its user rights to 600.

[peter@client ~] $lsid_ rsa.pub[ Peter @ client ~] $mkdir ~ / .ssh # if there is no .ssh directory in the current user directory Please create a directory [peter@client ~] $chmod 700 ~ / .ssh [peter@client ~] $mv id_rsa.pub ~ / .ssh [peter@client ~] $cd ~ / .ssh [peter@client ~] $cat id_rsa.pub > > authorized_ keys2 [Peter @ client ~] $rm-f id_ rsa.pube [Peter @ client ~] $chmod 600 authorized_ keys2 [Peter @ client ~] $ls-ltotal 4color rw-1 peter peter 225 Oct 10 11:28 authorized_keys2

Test remote login using key pairs

[root@server ~] # ssh peter@192.168.0.2Enter passphrase for key'/ root/.ssh/id_rsa': # prompt for the passphrase, please enter the passphrase just set Last login: Sun Oct 10 11:32:14 2010 from 192.168.0.1 [peter@client ~] $

If you can't log in correctly, you should re-check your authorized_keys2 permissions.

Use ssh-agent (ssh Agent) to automatically enter a passphrase

Remember your "password phrase". Now you can log in to your server with your key instead of your password, but it still doesn't save you much trouble, you still have to enter the "passphrase" of the key. Is there an easier way? The answer is to use the SSH agent (ssh-agent), a program that helps you remember the "passphrase". Ssh-agent is the ssh agent included by default in OpenSSH.

Login management server

[root@server ~] # ssh-agentSSH_AUTH_SOCK=/tmp/ssh-vEGjCM2147/agent.2147; export SSH_AUTH_SOCK;SSH_AGENT_PID=2148; export SSH_AGENT_PID;echo Agent pid 2148

When you run ssh-agent, it prints out the environment and variables of the ssh it uses. There are two ways to use these variables, one is to declare environment variables manually, and the other is to run the eval command to declare environment variables automatically.

Method 1: declare environment variables manually

[root@server ~] # SSH_AUTH_SOCK=/tmp/ssh-vEGjCM2147/agent.2147; export SSH_AUTH_SOCK; [root@server ~] # SSH_AGENT_PID=2148; export SSH_AGENT_PID; [root@server ~] # printenv | grep SSH# checks whether the ssh environment variable has been added to the current session environment variable SSH_AGENT_PID=2148SSH_AUTH_SOCK=/tmp/ssh-vEGjCM2147/agent.2147

Method 2: run the eval command to declare environment variables automatically

[root@server ~] # eval `Agent pid 2157 [root@server ~] # printenv | grep SSH# checks whether the ssh environment variable has been added to the current session environment variable SSH_AGENT_PID=2148SSH_AUTH_SOCK=/tmp/ssh-vEGjCM2147/agent.2147

Now ssh-agent is running, but the ssh-agent is blank and there is no private key for decryption. We need to tell it that we have the private key and where the private key is. This requires adding our private key to the ssh-agent cache using the ssh-add command.

[root@server ~] # ssh-add ~ / .ssh/id_dsaEnter passphrase for / home/user/.ssh/id_dsa:# enter your passphrase Identity added: / home/user/.ssh/id_dsa (/ home/user/.ssh/id_dsa) [root@server ~] # ssh-add-l # to view the cache content of the ssh agent 1024 72:78:5e:6b:16:fd:f2:8c:81:b1:18:e6:9f:77 : 6e:be / root/.ssh/id_rsa (RSA)

Enter the password phrase, now you can log in to your remote server without entering your passphrase, and your private key is password protected.

[root@server] # ssh peter@192.168.0.2Last login: Sun Oct 10 11:32:45 2010 from 192.168.0.1 [peter@client] $

After logging in to the server, remember to turn off ssh-agent, otherwise others can log in remotely.

[root@server ~] # ssh-agent-kunset SSH_AUTH_SOCK;unset SSH_AGENT_PID;echo Agent pid 2148 killed; [root@server ~] # ssh-add-l # check that there is no key in the cache, The agent has no identities.

Of course, if you manage a large number of servers (≥ 2-digit number of servers), uploading public keys for the first time may be tiring work, but you can later experience the convenience of automatic login of public key keys in maintenance work.

The above is all the contents of the article "how to log in to linux using ssh public key". Thank you for reading! Hope to share the content to help you, more related knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.