The ssh trust between hosts, in simple terms, is that no password is required to log in to the host using the ssh command between the hosts.
1. Configure the trust relationship between
the hosts. Host A (47.100.247.242) as the trusted host and host B (101.132.242.27) as the remote host. Configure the host A to log in to the host B without secret. The main steps are as follows:
- Generate the corresponding private key and public key (id_rsa and id_rsa.pub) in host A
[testuser@cloudgw ~]$ pwd
/home/testuser
[testuser@cloudgw ~]$ ssh-keygen -t rsa
After entering the command, press Enter all the way.
- Add your own private key to host A
[testuser@cloudgw ~]$ cd .ssh/
[testuser@cloudgw .ssh]$ ssh-add id_rsa
Identity added: id_rsa (id_rsa)
Note: If it prompts Could not open a connection to your authentication agent, the terminal does the following:
[testuser@cloudgw .ssh]$ ssh-agent bash
[testuser@cloudgw .ssh]$ ssh-add id_rsa
- Copy the public key id_rsa.pub in host A to the .ssh directory of host B
[testuser@cloudgw .ssh]$ scp id_rsa.pub 101.132.242.27:~/.ssh/
- Execute commands remotely on host A and generate authentication files on host B
[testuser@cloudgw .ssh]$ ssh 101.132.242.27 'cat .ssh/id_rsa.pub >> .ssh/authorized_keys'
Note: When the login usernames of two hosts are the same, the ssh command can default the username. If you specify another user name to log in, you only need to specify the user name, that is, ssh [email protected].
- Log in to host B, change authorized_keys to only the current user has read and write permissions
[testuser@iZuf6crxor2b7uwzq9sutyZ ~]$ pwd
/home/testuser
[testuser@iZuf6crxor2b7uwzq9sutyZ ~]$ cd .ssh/
[testuser@iZuf6crxor2b7uwzq9sutyZ .ssh]$ ls
authorized_keys id_rsa.pub known_hosts
[testuser@iZuf6crxor2b7uwzq9sutyZ .ssh]$ chmod 600 authorized_keys
After the above operation is completed, host A can log in to host B without secret. If you want machine A and machine B to log in to each other without a password, machine B can be configured in the same way as above.
Extension : If you need to set up host A to log in to multiple hosts at the same time without password, just repeat the above steps 3-5, or generate the authentication file on host A, modify the file permissions, and then scp the authentication file To other servers.
2.
How to release the trust relationship between two hosts? The operation is very simple. It is impossible to delete the key. You can do this on host A:
[testuser@cloudgw ~]$ cd ~/.ssh
[testuser@cloudgw ~]$ vi known_hosts
Just delete the line about host B in known_hosts.
Three, principle
- Generate public key and private key on host A.
- Copy the public key to host B.
- Host A sends a connection request to Host B.
- After host B obtains the information of host A, it searches in authorized_keys. If there is a corresponding user name and IP, a string is randomly generated, encrypted with the public key of host A, and sent to host A.
- Host A uses the private key to decrypt the message after receiving the message from host B, and then sends the decrypted string to host B. Host B compares the received character string with the generated character string, and if they are the same, the password-free login is allowed.
In short: if A wants to log in to B without secret, B must first have A's public key, and then B must perform an encryption verification. For asymmetric encryption, the ciphertext encrypted by the public key cannot be decrypted with the public key, but can only be decrypted with the private key.
Article reference: