Shulou(Shulou.com)06/02 Report--

1 what is SSH

Quote Baidu Encyclopedia:

SSH is an acronym for Secure Shell and was developed by IETF's Network team (Network Working Group). It is a security protocol based on the application layer.

SSH is currently a reliable protocol designed to provide security for remote login sessions and other network services. The use of SSH protocol can effectively prevent information leakage in the process of remote management.

SSH was originally a program on the UNIX system, and then rapidly expanded to other operating platforms.

In order to secure communication between different platforms / network hosts, we have to authenticate through ssh in many cases. There are two main ssh authentication methods:

① password-based security authentication: enter a user name and password every time you log in. Because the password is transmitted over the network, there may be a risk of man-in-the-middle attack.

② key-based security authentication: secret-free login can be realized after configuration, which is more secure-there is no need to pass a password on the network, only one public key transmission is needed. The common ssh mode of git is authenticated through the public key.

2 configure SSH secret-free login

Description: the server operating system used in the demonstration here is Cent OS 7. Our goal is:

Server A (172.16.22.131) can log in to server B (172.16.22.132) without secret access.

Note: the ssh connection is one-way, A can log on to B without secret, but not B can log on to A.

2.1 install the necessary software

Before operating, make sure that the required software is installed properly.

Here we need to install ssh-keygen and ssh-copy-id as follows:

# to install ssh-keygen, you need to make sure that the server can be connected to the Internet. The blogger has been installed here, so nothing has been done. [root@localhost ~] # yum install-y ssh-keygenLoaded plugins: fastestmirror Langpacksbase | 3.6kB 00:00:00 epel | 3.6kB 00:00:00 extras | 2.9kB 00:00:00 updates | 2.9kB 00:00:00 Loading mirror speeds from cached hostfileNo package ssh-keygen available.Error: Nothing to do# installation ssh-copy-id [root@localhost ~] # yum install-y ssh-copy-id Loaded plugins: fastestmirror LangpacksLoading mirror speeds from cached hostfileNo package ssh-copy-id available.Error: Nothing to do2.2 ssh-keygen creates a public-private key pair

(1) generate the rsa key under the specified directory and specify the annotation as "shoufeng". Implementation example:

[root@localhost ~] # ssh-keygen-t rsa-f ~ / .ssh/id_rsa-C "shoufeng" # ~ key type ~ key file path and name ~ remarks information Generating public/private rsa key pair.Enter passphrase (empty for no passphrase): # enter the password, if you do not enter, enter Enter same passphrase again: # reconfirm the password If you do not enter, enter Your identification has been saved in / root/.ssh/id_rsa.Your public key has been saved in / root/.ssh/id_rsa.pub.The key fingerprint is:9a:e3:94:b9:69:c8:e9:68:4b:dc:fa:43:25:7f:53:f1 shoufengThe key's randomart image is:+-- [RSA 2048]-+ | |. | | o | |. . . E | | + S. | |. .. . = o | | oo.oB. . |.. oonymo.+ | |. + + oo+ | +-+ |

Note: the file name of the key must be id_xxx, where xxx is the key type specified by the-t parameter. For example, if the key type is rsa, then the key file name must be id_rsa.

(2) description of common parameters of ssh-keygen:

-t: key type. You can choose dsa | ecdsa | ed25519 | rsa

-f: key directory location, which defaults to the .ssh hidden directory under the current user's home path, that is, ~ / .ssh /, and the default key file name starts with id_rsa. If it is a root user, it is in / root/.ssh/id_rsa. If it is another user, it is in / home/username/.ssh/id_rsa.

-C: specify the remarks for this key. When you need to configure multiple secret-free logins, it is recommended to carry them.

-N: specify the password for this key pair. If you specify this parameter, the interactive confirmation password will not appear during the execution of the command.

Example: if you specify the directory location, password and comment information at the same time, you do not need to enter the enter key to complete the creation:

Ssh-keygen-t rsa-f ~ / .ssh/id_rsa-N shoufeng-C shoufeng

(3) go to the ~ / .ssh / directory to view the generated files:

# the generated file begins with test_rsa, where test_rsa is the private key and test_rsa.pub is the public key: [root@localhost .ssh] # lstest_rsa test_rsa.pub# looks at the public key file through the cat command: [root@localhost .ssh] # cat id_rsa.pub ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC2JpLMqgeg9jB9ZztOCw0WMS8hdVpFxthqG1vOQTOji/cp0+8RUZl3P6NtzqfHbs0iTcY0ypIJGgx4eXyipfLvilV2bSxRINCVV73VnydVYl5gLHsrgOx+372Wovlanq7Mxq06qAONjuRD0c64xqdJFKb1OvS/nyKaOr9D8yq/FxfwKqK7TzJM0cVBAG7+YR8lc9tJTCypmNXNngiSlipzjBcnfT+5VtcFSENfuJd60dmZDzrQTxGFSS2J34CuczTQSsItmYF3DyhqmrXL+cJ2vjZWVZRU6IY7BpqJFWwfYY9m8KaL0PZ+JJuaU7ESVBXf6HJcQhYPp2bTUyff+vdV shoufeng# can see the last comment shoufeng2.3 ssh-copy-id sends A's public key to B.

The default usage is: ssh-copy-id root@172.16.22.132, the default port for the ssh-copy-id command to connect to the remote server is 22. Of course, you can specify the file, the IP of the remote host, the user, and the port:

# specify the local file to be copied, the IP+ user name of the remote host + port number: [root@localhost .ssh] # ssh-copy-id-I ~ / .ssh/id_rsa.pub-p 22 root@172.16.22.132/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key (s) To filter out any that are already installed/usr/bin/ssh-copy-id: INFO: 1 key (s) remain to be installed-- if you are prompted now it is to install the new keysroot@172.16.22.132's password: # after entering the password, the public key Number of key (s) added: 1Now try logging into the machine will be copied With: "ssh-p '22' root@172.16.22.132'" and check to make sure that only the key (s) you wanted were added.2.4 logs into server B without secret on server A

[root@localhost .ssh] # ssh root@172.16.22.132Last login: Fri Jun 14 08:46:04 2019 from 192.168.34.16 # login successful 😄 3 extension description

3.1 send public key files in other ways

Step 2.3 above is to send the public key file through the ssh-copy-id tool. Of course, we can also implement it in other ways:

(1) send the public key file of A to B:

Send the public key file of server A to the user directory of server B through the scp command. Since secret-free login has not been successfully configured, you need to enter the password of the user corresponding to server B during this period:

[root@localhost .ssh] # scp id_rsa.pub root@172.16.22.132:/root/.ssh root@172.16.22.132's password: id_rsa.pub 100% 390 0.4KB/s 00:00

(2) create an authorized_keys file on B:

[root@localhost .ssh] # cd / root/.ssh/ [root@localhost .ssh] # lsid_rsa.pub# generates a "authorized_keys" file from the public key of A server: [root@localhost .ssh] # cat id_rsa.pub > > authorized_ Keys [root @ localhost .ssh] # cat authorized_keys ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC2JpLMqgeg9jB9ZztOCw0WMS8hdVpFxthqG1vOQTOji/cp0+8RUZl3P6NtzqfHbs0iTcY0ypIJGgx4eXyipfLvilV2bSxRINCVV73VnydVYl5gLHsrgOx+372Wovlanq7Mxq06qAONjuRD0c64xqdJFKb1OvS/nyKaOr9D8yq/FxfwKqK7TzJM0cVBAG7+YR8lc9tJTCypmNXNngiSlipzjBcnfT+5VtcFSENfuJd60dmZDzrQTxGFSS2J34CuczTQSsItmYF3DyhqmrXL+cJ2vjZWVZRU6IY7BpqJFWwfYY9m8KaL0PZ+JJuaU7ESVBXf6HJcQhYPp2bTUyff+vdV shoufeng

Note: use > > to append the above redirection, do not use >, that will clear the original content.

3.2 File permissions

In order for private key files and public key files to play a role in authentication, it is necessary to ensure the correctness of permissions:

① for the .ssh directory and its internal public key, private key files, the current user must at least have the right to execute, other users can only have the right to execute at most.

Don't set ② to777permissions: too large permissions are insecure, and digital signatures do not support this permission policy.

For ordinary users, it is recommended to set ③ to 600permissions: chmod 600authorized_keys id_rsa id_rsa.pub

④ for root users, it is recommended to set to 644 permissions: chmod 644 authorized_keys id_rsa id_rsa.pub.

3.3 Editing and viewing of files

In Liunx environment, if you want to view and copy private key, public key, authorized_keys and other files, do not use editors such as vim to open them, because it will generate unnecessary carriage returns

The content should be printed to the terminal through cat, more, less and other viewing commands, and then viewed and copied.

Summary

The above is the basic usage of Linux configuration SSH secret-free login "ssh-keygen" introduced by the editor. I hope it will be helpful to you. If you have any questions, please leave a message for me, and the editor will reply to you in time. Thank you very much for your support to the website!

If you think this article is helpful to you, you are welcome to reprint it, please indicate the source, thank you!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.