Shulou(Shulou.com)06/02 Report--

[original post] http://weblog.kreny.com/archives/2005/10/rsadsa_authenti.html [author]: kreny

I have always wanted to change the SSH authentication mode of my server from username password mode to RSA and DSA authentication protocol. With the release of OpenSSH 4.2, I wrote about the configuration process today and collected some reference articles about RSA and DSA.

Train of thought:

The authentication process in public key mode has not been understood. Here is a summary of the production and placement of public keys and secret keys. The following assumes a server Server and a PC as examples.

First of all, public and secret keys are not generated on the server. Because many articles about RSA and DSA authentication protocols use Linux servers as props, they naturally use commands such as ssh-keygen-t rsa, which makes me mistakenly think that I have to create a public key and secret key on the Linux server first. And the real method of resettlement is:

When connecting to Server from PC, you need to save a pair of public and secret keys on PC (which can be generated using tools such as PenguiNet), and simply transfer the generated public key to Server. Often on Server, the public key is placed in the file ~ / .ssh/authorized_keys. The settings for this file can be found in / etc/ssh/sshd_config.

AuthorizedKeysFile .ssh / authorized_keys

Then when connecting from one Linux Client Server to another Linux Server, we should generate a pair of keys on the Linux Client Server (the default is id_rsa and id_rsa.pub when RSA), and save them in ~ / .ssh/. This setting can be set in / etc/sshd/ssh_config:

# IdentityFile ~ / .ssh/identity

# IdentityFile ~ / .ssh/id_rsa

# IdentityFile ~ / .ssh/id_dsa

RAS/DSA authentication installation process (take tenten users as an example):

(the following test passed under the latest OpenSSH 4.2 and failed under OpenSSH_3.9p1! )

[root@domain ~] $su-tenten

[tenten@domain] ssh-keygen-t rsa

Generating public/private rsa key pair.

Enter file in which to save the key (/ home/tenten/.ssh/id_rsa): [Enter]

Enter passphrase (empty for no passphrase):

Enter same passphrase again:

Your identification has been saved in / home/tenten/.ssh/id_rsa.

Your public key has been saved in / home/tenten/.ssh/id_rsa.pub.

The key fingerprint is:

C7:93:83:c4:24:30:56:90:37:a0:eb:a7:5d:4c:8d:ea:1a: tenten@example.com

: or:

[tenten@kdx] $ssh-keygen-t dsa

Generating public/private dsa key pair.

Enter file in which to save the key (/ home/tenten/.ssh/id_dsa):

Enter passphrase (empty for no passphrase):

Enter same passphrase again:

Your identification has been saved in / home/tenten/.ssh/id_dsa.

Your public key has been saved in / home/tenten/.ssh/id_dsa.pub.

The key fingerprint is:

A2:be:16:2e:66:e4:69:68:a0:eb:a7:5d:4c:8d:ea:1a:da:54:35:55:32:8e:e2 tenten@example.com

View the generated file:

[tenten@kdx ~] $ls / home/tenten/.ssh/-la

Total 28

Drwx- 2 tenten tenten 4096 Oct 11 16:09.

Drwx- 3 tenten tenten 4096 Oct 9 16:50..

-rw- 1 tenten tenten 736 Oct 11 16:09 id_dsa

-rw-r--r-- 1 tenten tenten 612 Oct 11 16:09 id_dsa.pub

-rw- 1 tenten tenten 951 Oct 11 16:03 id_rsa

-rw-r--r-- 1 tenten tenten 232 Oct 11 16:03 id_rsa.pub

-rw-r--r-- 1 tenten tenten 667 Oct 9 16:48 known_hosts

Set up sshd_config files and remove password authentication

# To disable tunneled clear text passwords, change to no here!

PasswordAuthentication no

Because in the sshd_config file, we set the following:

# AuthorizedKeysFile .ssh / authorized_keys

So we need to rename the common key to autherized_keys.

[root@domain .ssh] # mv id_dsa.pub autherized_keys

So in the end, the content in the server ~ / .ssh/ directory is (note that the permission of authorized_keys is 644)

[tenten@domain .ssh] $ls-la

Total 12

Drwx- 2 tenten tenten 4096 Oct 11 19:57.

Drwx- 3 tenten tenten 4096 Oct 11 18:50..

-rw-r--r-- 1 tenten tenten 232 Oct 11 19:46 authorized_keys

Extension:

At the end of installing openssh, after entering the make install command, you will find that public/private key is finally generated:

Generating public/private rsa1 key pair.

Your identification has been saved in / usr/local/etc/ssh_host_key.

Your public key has been saved in / usr/local/etc/ssh_host_key.pub.

The key fingerprint is:

22:67:00:5f:82:87:ab:22:e7:8e:cd:bb:d2:07:98:57 root@example.com

Generating public/private dsa key pair.

Your identification has been saved in / usr/local/etc/ssh_host_dsa_key.

Your public key has been saved in / usr/local/etc/ssh_host_dsa_key.pub.

The key fingerprint is:

17:6c:d8:6f:31:db:bd:3c:66:81:86:12:13:a4:33:a3 root@example.com

Generating public/private rsa key pair.

Your identification has been saved in / usr/local/etc/ssh_host_rsa_key.

Your public key has been saved in / usr/local/etc/ssh_host_rsa_key.pub.

The key fingerprint is:

27:0e:16:41:f8:96:ed:93:b6:a8:61:74:fe:87:e2:91 root@example.com

/ usr/local/sbin/sshd-t-f / usr/local/etc/sshd_config

Reference documentation:

Zhang Microwave: the perfect use of keys for SSH and SecureCRT under linux

Daniel Robbins: general Thread: OpenSSH key Management, part 1

OpenSSH's RSA and DSA authentication protocols are based on a pair of specially generated keys called private keys and public keys, respectively. The advantage of using these key-based authentication systems is that in many cases, it is possible to establish a secure connection without manually entering a password.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.