Linux secret key login && Xshell configure Linux secret key login
1 Introduction
why do you need
Forms for logging in to the Linux server
- Password-based, account password login method: Password-based login requires remembering complex passwords, and if there are too many machines, it is difficult to use passwords for management
- Key-based authentication method: it can realize secret-free login and reduce the burden of operation and maintenance personnel
As for the encryption/decryption principle of the public key and private key, you can Baidu by yourself. . .
2. Login process
The client establishes a private key and a public key, and the way to execute commands is also generated by the client; the private key (id_rsa) and public key (id_rsa.pub) will be mentioned later
-
The client generates a certificate: private key and public key, and then the private key is placed on the client and stored properly. Generally, for security, hackers copy the private key of the client when accessing the client. When the client generates the private key, it will set a password (see below Demonstrate two types, with and without password), and every time you log in to the ssh server, the client must enter the password to unlock the private key (the public key and private key are generally stored on the server, if you are working, you use A private key without a password, one day the server is hacked, and you can’t clean it even if you jump to the Yellow River).
-
Add credit public key to the server: upload the public key generated by the client to the ssh server, and add it to the specified file (~/.ssh/authorized_keys), so that the configuration of the ssh certificate login is completed.
Suppose the client wants to log in to other ssh servers through the private key. Similarly, the public key can be uploaded to other ssh servers.
process steps
The process of public key password-free login is as follows
- The client sends its own public key to the server (the client keeps the private key and extracts the public RSA key from the private key from the command line, which means that there will be a public key if there is a private key). The key is written to the secondary file (authorized_keys)
- After the server receives the connection request from the client, it matches in its authorized_keys file to see if the client’s public key information exists. If it exists, it generates a random number R, and then encrypts the random number R with the client’s public key to obtain An encrypted random number public key (R), pubkey (R)
- The client decrypts the pubkey (R) with its own private key to obtain a random number R, and then uses MD5 encryption for the random number R and the sessionkey of the current connection session to generate digest Digest1, which is sent to the server again for verification; Digest1 is The random number R uses MD5 symmetrically encrypted data for the data sessionkey
- The server also uses the same digest algorithm (MD5) to calculate Digest2 for this random number R and sessionkey
- The server compares whether Digest1 and Digest2 are consistent, if they are consistent, the verification is passed, and the client logs in to the server
3. Server settings
Edit ssh remote connection configuration /etc/ssh/sshd_config
## 开启 公私钥登录认证
PubkeyAuthentication yes
# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
## 添加 公钥的保存文件 看做注释是有默认的配置文件 .ssh/authorized_keys and .ssh/authorized_keys2 这里我们是显示指定
AuthorizedKeysFile .ssh/authorized_keys
4. Generate public key and private key pair
private key is not encrypted
Enter all the way after executing the command
[root@localhost ~]# ssh-keygen -b 2048 -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Created directory '/root/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:TQ5Xk7Ipq63Hf9P2NpF8ljsDguIvAX3d+kjk+OKVAsk [email protected]
The key's randomart image is:
+---[RSA 2048]----+
| o. |
| .... |
| . . ++. |
| ...oBoo . |
| .ESoB . . o|
| ooo =.. =o|
| .+o.oo+...+|
| .o+.ooo.o=.|
| .o++o. o o=|
+----[SHA256]-----+
private key encryption
After executing the command, you need to output the password when prompted to enter the command, and just enter
[fffs@localhost ~]$ ssh-keygen -b 2048 -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/fffs/.ssh/id_rsa):
Created directory '/home/fffs/.ssh'.
Enter passphrase (empty for no passphrase): #### 要设置密码的话 就在这里输入
Enter same passphrase again:
Your identification has been saved in /home/fffs/.ssh/id_rsa.
Your public key has been saved in /home/fffs/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:Zgzlob+e1c6y1adA+o3MHGWlauJIpqJyPzUuzlFC2lc [email protected]
The key's randomart image is:
+---[RSA 2048]----+
| o |
| + . |
| . o E .|
| + = o |
| . o o S . + |
| +oo . + = |
| .o .+ + B . .|
|. ..+..= =.@ = o |
| o.+++. + ooO o |
+----[SHA256]-----+
key pair
Both methods will generate a public key and a private key
[fffs@localhost .ssh]$ ll
-rw-------. 1 fffs ffsgroup 1766 8月 28 21:43 id_rsa ###私钥
-rw-r--r--. 1 fffs ffsgroup 408 8月 28 21:43 id_rsa.pub ### 公钥
Add the public key to authorized_keys
[fffs@localhost .ssh]$ touch authorized_keys
[fffs@localhost .ssh]$ cat id_rsa.pub >> authorized_keys
Private key does not encrypt Xshell configuration
Set the user name and method to use the public Key Click to set to add the secret key
Import this configuration generated on our service
In this way, a connection is created and used directly
Private key encryption Xshell configuration
Similar to 私钥加密Xshell 配置the configuration
The difference is that when importing the key file, you need to fill in the password that was generated before.
Then select the encrypted private key we added
Then the connection is created successfully, but you need to enter the decryption password of the secret key every time you connect