The recommended login method for ssh is to log in with a private key. However, if a password/passphrase is set when generating the private key, it is also very troublesome to enter the password every time you log in. You can manage the private key through ssh-agent, load the private key into the memory, and then no longer need to enter the password.
Problems solved by ssh-agent
When our host has multiple key pairs (for example, the root user generates a pair of public key and private key, and the hmk user generates another pair of public key and private key pairs), when we connect to multiple other different hosts, The authentication users may be different. At this time, we need to manually specify which key to use. Once the machine enters too much, it will be very cumbersome. ssh-agent can help us manage these key pairs.
When we add a password to the private key, we The authentication method has chosen the key authentication, ssh-agent can help us avoid the tedious operation of entering the password
ssh-agent agent
The principle of ssh-agent is shown in the figure below: After
user Bob uses ssh-agent to manage the private key. ssh-agent will start a process to store these private keys in memory. After each login, the ssh client will ask ssh-agent whether there is the private key of the target host; if so, the ssh client can log in to the target host directly.
The operation steps are as follows:
1. ssh-agentStart by ssh-agent bash or eval (here is the command substitution character of the shell).
2. Add a private key for ssh-agent through ssh-add Identity_Linux. Identity_Linux here is my private key file.
After adding, you can use ssh-add -l to view the added private key.
The first command, because the server is set to only use the private key to authenticate the login, so the direct login failed. If the private key is not placed in the ssh client's default read location or is not the default name, you need to use the specified private key file displayed by the -i option. When adding the private key to the agent, you need to enter the password of the private key once. After you are ready, you can log in without specifying the private key or password.
ssh-agent principle
The ssh-add command is not used to permanently remember the private key you are using. In fact, its function is only to add the private key you specify to a session managed by ssh-agent. The ssh-agent is a temporary session service used to store private keys, which means that when you restart, the ssh-agent service will be reset.
If it is to permanently remember which private key is, we cannot rely on the ssh-agent service. What you can rely on depends on which of the following solutions are suitable for your use case.
When your computer restarts
ssh-add
Options
-D:删除ssh-agent中的所有密钥.
-d:从ssh-agent中的删除密钥
-e pkcs11:删除PKCS#11共享库pkcs1提供的钥匙。
-s pkcs11:添加PKCS#11共享库pkcs1提供的钥匙。
-L:显示ssh-agent中的公钥
-l:显示ssh-agent中的密钥
-t life:对加载的密钥设置超时时间,超时ssh-agent将自动卸载密钥
-X:对ssh-agent进行解锁
-x:对ssh-agent进行加锁
Instance
1. Add the private key to the cache of ssh-agent:
ssh-add ~/.ssh/id_dsa
2. Delete the key from ssh-agent:
ssh-add -d ~/.ssh/id_xxx.pub
3. View the key in ssh-agent:
ssh-add -l
Reference documents
https://www.cnblogs.com/f-ck-need-u/p/10484531.html
https://zhuanlan.zhihu.com/p/126117538
https://blog.csdn.net/zhouguoqionghai/article/details/92134462
https://segmentfault.com/q/1010000000835302