Detailed explanation of password-free login between ssh and ssh2

http://blog.chinaunix.net/uid-26517277-id-4055228.html

 

SSH is the abbreviation of Secure Shell, formulated by the Network Working Group of the IETF; SSH is a security protocol created on the basis of the application layer and the transport layer. On Wikipedia, there are detailed entries about SSH , but in layman's terms, SSH allows a client to securely log in to a server for management operations. So, forget about FTP, POP, and Telnet, and focus on loving SSH.

Let's start with the most basic parts, first assume we have a Macbook, and then want to log in to an Ubuntu server for management operations, then first require the SSH service to be installed on the Ubuntu server. The SSH service was first developed by a company in Finland and has now developed to the SSH2 version. However, due to factors such as copyright and encryption algorithms, many people began to switch to OpenSSH. Listening to the name, they know that it is open source and free.

All the following operations require an account with root privileges. Usually, we do not recommend logging in directly as root on the server, so we usually log in as a normal user, and then add sudo in front of the command to obtain root privileges.

1. Let's make a routine

sudo apt-get update sudo apt-get upgrade

2. Then start to install the OpenSSH service

sudo apt-get install openssh-server

3. Ubuntu will help us solve all dependency problems and install the OpenSSH service. Next, we can do some configuration to achieve faster and safer purposes. For specific modifications, please refer to here .

Now that the installation is over, we can try to log in from the Macbook, assuming that there is a user tester on Ubuntu. Select Applications - Utilities - Terminal on the Macbook, and then type in the terminal that opens

#Note that S_IP is the real IP address of the server  ssh tester @ S_IP

Then you will be asked for the test password, enter the password and you can log in successfully.

Entering the password every time will be annoying and insecure, and there are other potential risks, so SSH also provides a key-based authentication mechanism, you have to create a pair of keys for yourself, and put the public key in on the server that needs to be accessed. The client software will make a request to the server for secure authentication with your private key. After the server receives the request, it first looks for your public key in your user root directory on the server, and then compares it with the public key you sent. If the two keys match, the server encrypts the "challenge" with the public key and sends it to the client software. This avoids being attacked by a "man in the middle".

Due to the reasons mentioned above, there will be a kind of pain in the egg. Some companies also like to use the SSH2 version of the SSH service. The encryption algorithms of SSH2 and OpenSSH are completely different, and the key pairs they use are incompatible. So there will be the following 4 combinations
1. OpenSSH client to OpenSSH server
2. SSH2 client to SSH2 server
3. OpenSSH client to SSH2 server
4. SSH2 client to OpenSSH server
Suppose client C tries to log in to server S with user tester , let's take a look at how to log in with a key in various combinations

1. OpenSSH client to OpenSSH server, this is the easiest and most common case
first on C

ssh-keygen -t rsa

生成的私钥保存在~/.ssh/id_rsa，注意私钥一定要是这个名字，除非你更改C的ssh客户端配置，然后将公钥id_rsa.pub上传到S上去

#这里S_IP是服务器的真实IP，并假定用户tester的主目录是/home/tester scp ~/.ssh/id_rsa.pub tester@S_IP:/home/tester/.ssh/

然后在服务器S上做如下操作

cd /home/tester/.ssh cat id_rsa.pub >> authorized_keys

退出服务器S，然后从C上重新登录一下

ssh tester@S_IP

不出意外，你再也不用输入密码了。

2. SSH2客户端对SSH2服务器
这种情况也很简单，因为SSH2版本的ssh服务已经有了个新的工具ssh-keygen2。
首先在C上操作

ssh-keygen2 -t rsa

注意，这将会在C上当前用户的目录的这个位置~/.ssh2/生成一对密钥id_rsa_2048_a和id_rsa_2048_a.pub
你必须在~/.ssh2/目录下建立一个文件identification，并通过它来指定私钥

cd ~/.ssh2/ vi identification #输入如下内容 IdKey id_rsa_2048_a #保存修改

然后将公钥id_rsa_2048_a.pub传到服务器S上去

#这里S_IP是服务器的真实IP，并假定用户tester的主目录是/home/tester scp ~/.ssh2/id_rsa_2048_a.pub tester@S_IP:/home/tester/.ssh2/

然后在服务器S上做如下操作

cd /home/tester/.ssh2 vi authorization #在里面新增一行 Key id_rsa_2048_a.pub #保存修改

退出服务器S，然后从C上重新登录一下

ssh tester@S_IP

不出意外，这能够工作了。

3. OpenSSH客户端对SSH2服务器
这种情况是最复杂的一种，网络上很多的免密码登录SSH的文章都没有涉及到这种，下面具体介绍一下应该如何配置
首先在C上操作

ssh-keygen -t rsa

生成的私钥保存在~/.ssh/id_rsa，注意私钥一定要是这个名字，除非你更改C的ssh客户端配置，然后你需要做一件事情，就是将公钥转换成为SSH2所兼容的模式，使用以下的指令

cd ~/.ssh/ ssh-keygen -e -f id_rsa.pub > id_rsa_2.pub

然后将公钥id_rsa_2.pub上传到S上去

#这里S_IP是服务器的真实IP，并假定用户tester的主目录是/home/tester scp ~/.ssh2/id_rsa_2.pub tester@S_IP:/home/tester/.ssh2/

然后在服务器S上做如下操作

cd /home/tester/.ssh2 vi authorization #在里面新增一行 Key id_rsa_2.pub #保存修改

退出服务器S，然后从C上重新登录一下

ssh tester@S_IP

不出意外，这能够工作了。

4. SSH2客户端对OpenSSH服务器
这种情况是最蛋疼的，应该非常少见吧？这意味你将用一台商业授权的服务器去管理一台开源的服务器？希望你的工作不用这么纠结，虽然这种情况的配置是非常简单的，基本和1一致，因为SSH2原生也支持SSH1，所以就请大家参见1的配置了。

如果了解完了上面所说的一切，包括引用链接，你就完全够将SSH应用到工作的各个方面的，下面还会稍微透露一下，平时可能需要了解到的一些秘籍

1.SSH2密钥和OpenSSH密钥的相互转换。

#OpenSSH转SSH2 ssh-keygen -e -f OpenSSH.pub > SSH2.pub #SSH2转OpenSSH2 ssh-keygen -i -f SSH2.pub > SSH2.pub

2.平时如果我们在Windows环境下，通常会使用SecureCRT，XShell以及Putty等优秀的SSH客户端软件，它们可以让SSH 的工作变得更轻松，但如果在Mac或者Linux环境下，命令行的SSH操作则更自然，那么你知道在命令行下的SSH如何使用代理嘛，当需要的时候？
下面以OpenSSH客户端为例，假设有两个服务器S1和S2，需要通过一个代理服务器P1的80端口才能够连接。

vi ~/.ssh/config #修改如下内容 Host S1_IP S2_IP     ProxyCommand nc -X connect -x P1:80 %h %p     ServerAliveInterval 60

此外，在使用scp都时候还有可能因为ssh和ssh2的问题出现如下错误：

"scp - FATAL: Executing ssh1 in compatibility mode failed (check that scp1 is in your PATH)." Quote 1: This problem is often quite perplexing, since a ssh -V trace may show that you're using SSH-2 - so what is a message about "ssh1 compatibility mode " doing in there? What's happening is this: 1. On the OpenSSH client, you run say, scp foo server:bar 2. scp runs ssh in a subprocess to connnect to the server, and run the remote command scp -t bar. This is intend to start an instance of the scp program on the server, and the two scp's will cooperate by speaking over the SSH connection, to retrieve the file. 3. ssh connects to the server (using either protocol 1 or 2, it doesn't matter), and runs the remote scp command. However, the "scp" that gets run on the server is the SSH2 scp program (scp2), not the OpenSSH one. The crux of the problem is: besides the name, these two scp's have exactly nothing in common. scp2 cannot speak the file-transfer protocol that OpenSSH scp does. However, scp2 recognizes from the "-t" flag what's expected, and tries exec scp1 to service the connection (this is the extent of SSH2's SSH-1 compatibility; where OpenSSH has code for both protocols in a single set of programs, SSH2 expects to execute programs from a parallel SSH1 installation). It fails (presumably because you don't have SSH1 installed), and reports the problem. The solution is to install either the OpenSSH or SSH1 version of scp on the server under the name "scp1", somewhere in the sshd2's PATH. Quote 2: OpenSSH implements "scp" via RCP over an SSH channel. ssh.com implement "scp" via FTP over an SSH channel. OpenSSH's server has both implementations, but it's client only uses the RCP version. So if the client is OpenSSH, use "s ftp" to get to an ssh.com server.

上述情况发生的场景一般是openssh作为client，要连接一个ssh2都server，
如果上述两种解决方案都觉得麻烦的话，可以通过tar来绕过这个问题：

scp2() { tar cf - -C $(dirname $1) $(basename $1) | ssh user_name@server_ip -- "tar xmf - -C $2" } scp2r () { ssh user_name@server_ip -- "tar cf - -C $(dirname $1) $(basename $1)" | tar xmf - -C ${2:-.}; }