Why use privateKey to log in to the SSH server?
When we usually log in to the Linux server, we often use the username and password to log in, but if we want to use it for code connection or other operations, we need a more secure way to log in, we need privateKey to log in to SSH server
Introduction to SSH login
- RSA asymmetric encryption
- You can use RSA keys to log in when you log in with SSH
- SSH keys can be created using the tool ssh-keygen
How to create it?
The server generates a key pair (ubuntu)
Enter the .ssh directory under the Linux system directory
cd ~/.ssh/
At this time, I saw an error -bash: cd: /root/.ssh/: No such file or directory
[root@localhost ~]# cd ~/.ssh/
-bash: cd: /root/.ssh/: 没有那个文件或目录
Solve the error
implement
ssh localhost
The error is resolved, and you're done~
Execute the ls command, we can see the directory at this time
Execute ssh-keygen to create a key pair
Execute the key generation command, press Enter~
During the execution process, you can choose whether to enter the secret key password, or you can choose not to need a password~ just press Enter
ssh-keygen -t rsa
After the command is generated, check it out
id_rsa id_rsa.pub known_hosts
SSH server configuration (ubuntu)
We found that there is no authorized_keys in the directory, we create one
touch authorized_keys
Output the contents of the id_rsa.pub file to authorized_keys
cat id_rsa.pub >> authorized_keys
remote access test
Taking windows computer as an example, let's visit whether we can log in to the SSH server through privateKey
Copy the id_rsa private key to the Windows computer, then enter the directory where the private key is located, and execute the command:
ssh -i .\id_rsa [email protected]
An exception was found again, The authenticity of host 'XXX' can't be established.
PS C:\Users\Administrator\Desktop\fsdownload> ssh -i .\id_rsa [email protected]
The authenticity of host '192.168.33.129 (192.168.33.129)' can't be established.
ECDSA key fingerprint is SHA256:dw6kUF1VDfJ9WXXXXXXXXXXXXXX.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.33.129' (ECDSA) to the list of known hosts.
analyze
The reason is that every time you log in to Linux remotely, Linux will check whether the public key of the currently accessed computer is in ~/.ssh/know_hosts, which is recorded by OpenSSH. When accessing the same computer next time, OpenSSH will check the public key. If the public keys are different, OpenSSH will issue a warning to protect you from attacks like DNS Hijack. The SSH check level for the host's public_key is configured according to the StrictHostKeyChecking variable. By default, StrictHostKeyChecking=ask. Simply put its three configuration values:
- 1. StrictHostKeyChecking=no The least secure level, of course there are not so many annoying prompts, it is recommended to use it for relatively safe intranet testing. If the key to connect to the server does not exist locally, it will be automatically added to the file (the default is known_hosts), and a warning will be given.
- 2. StrictHostKeyChecking=ask The default level is the prompt just now. If the connection and key do not match, give a prompt and refuse to log in.
- 3. StrictHostKeyChecking=yes is the safest level, if the connection does not match the key, the connection will be refused without prompting for detailed information.
solve
We log in with the following command
ssh -i .\id_rsa -o StrictHostKeyChecking=no [email protected]
Another way to completely remove SSH host authentication is to modify the /etc/ssh/ssh_config configuration file and add in the ssh_config configuration file:
StrictHostKeyChecking no
UserKnownHostsFile /dev/null
You're done~
I will write here today~
- Friends, ( ̄ω ̄( ̄ω ̄〃 ( ̄ω ̄〃)ゝ See you tomorrow~~
- Everyone be happy every day
Everyone is welcome to point out where the article needs to be corrected~
Learning is endless, cooperation is win-win