Detailed explanation of Linux ~/.ssh directory and use of key pairs

Enterprise 2023-07-15 16:38:56 views: null

.ssh directory contents

In Linux, each user has a .ssh directory under the root directory, which stores ssh-related keys and some record files. For example:

root@ubuntu:~/.ssh# ls
authorized_keys  id_rsa  id_rsa.pub  known_hosts  known_hosts.old

Use ssh-keygen to generate keys

ssh-keygen can generate the public and private keys required by the ssh protocol, for example:

ssh-keygen -t rsa

This command will generate a private key file (id_rsa by default) and a public key file (id_rsa.pub by default).
The private key must be saved in the .ssh directory, and only the user of the host can use it. The public key is for servers that need to use ssh authentication, and the use of key pairs can avoid password authentication, such as ssh, scp, rsync, etc.

known_hosts 和 known_hosts.old

known_hostsand known_hosts.oldare files in the SSH client that store public key information for known hosts. Here's what they do and what they do:

  1. known_hostsFile: This file contains the public key information of the remote host you have connected to. When you connect to a remote host for the first time, the SSH client saves the host's public key in known_hostsa file. When connecting to the host again next time, the client will verify whether the host's public key is the same as the one saved before to prevent man-in-the-middle attacks. If the host's public key changes, the client will warn you to confirm.

  2. known_hosts.oldFile: When the SSH client detects that known_hostsa file has changed (for example, the host public key has changed), it will known_hostsback up the original file as known_hosts.old. This way, you can revert to an old known host configuration if needed.

These files are usually located in the SSH client user's ~/.ssh/directory, and each user has their own independent copy.

Note that known_hoststhe file does not contain any sensitive information, it only stores public key information for authentication purposes. However, if you have a security issue with your system, someone could trick you into stealing your key, so it is known_hostsimportant to review and verify the validity of the public key when you notice file changes.

authorized_keys file

The authorized_keys file is located on the SSH server and is used to store the public keys of the clients that are allowed to access the server. When you wish to use a key for SSH authentication, you need to add your public key to the authorized_keys file on the target server. Only public keys listed in the authorized_keys file can successfully authenticate and gain access.

The role of the authorized_keys file is to configure which clients the server allows to use keys for authentication. Each client's public key needs a corresponding entry in this file for successful authentication.

The difference between known_hosts and authorized_keys

Although both known_hosts and authorized_keys files are involved in storing the public key information of other hosts, their roles and functions in the SSH authentication process are different.
The known_hosts file is used by the SSH client to verify the identity of the remote host, and the authorized_keys file is used by the SSH server to verify the identity of the client. They play different roles in the SSH connection process, and the stored public key information also has different sources and purposes.
You may see both known_hosts and authorized_keys files in the .ssh directory, because this host can be used as an ssh client to connect to other hosts, or as an ssh server to be connected to other hosts, so these two files exist.

Example of public key usage: rsync secret-free sync file

When using rsync to synchronize files, we can save the public key of the current host user on the target host user to realize secret-free synchronization of files.

  • First, make sure that the current user of our client host already has a key pair, and if not, use ssh-keygen to generate a pair.
  • If we know that the authorized_keys file of the target host user is empty, the following method can be used to copy the client's public key to the ~/.ssh/authorized_keys file on the target host:
  • ssh-copy-id -i ~/.ssh/id_rsa.pub user@target_host
    Replace user with the username on the target host, and target_host with the IP address or host name of the target host. After executing this command, you will be asked to enter the password of the target host.
    If the ssh-copy-id command is not available, manually copy the public key contents to the target host's ~/.ssh/authorized_keys file.
  • But it is very likely that the authorized_keys file of the target host user has already saved the public key information of other clients, so we cannot overwrite this file with a high probability. But we can add our own public key information to the end of this file.
    1. First, upload our public key file to the target host:
      scp -P 22 ~/.ssh/id_rsa.pub user@target_host:/tmp/id_rsa.pub
      Replace user with the username on the target host, and target_host with the IP address or host name of the target host. The -P option can set the port of the ssh service. If the ssh service of the target host is another port, please replace it here.
    2. Append public key to existing file: Log in to the target host and append the public key to the end of the ~/.ssh/authorized_keys file. Run the following command on the target host:
      cat /tmp/id_rsa.pub >> ~/.ssh/authorized_keys
    3. Clean up temporary files (optional): Temporary public key files can be deleted on the target host. Run the following command:
      rm /tmp/id_rsa.pub
      You have now successfully added the public key to the end of the existing ~/.ssh/authorized_keys file on the target host without overwriting it.
  • Use ssh login verification
    After adding the public key information of the source host user to the .ssh/authorized_keys of the user user of the target host, you can directly use ssh to log in without password:
    ssh user@target_host
    If all goes well, you should be able to successfully log in to the target host without entering a password.
  • Synchronize files with rsync
    rsync -avz -e "ssh -p 22" /path/to/source user@target_host:/path/to/destination
    Replace /path/to/source with the path of the source file or directory, user with the username on the target host, target_host with the IP address or host name of the target host, and /path/to/destination with the path of the target file or directory.
    When using the rsync command, the -e "ssh -p 22" option is specified, which tells rsync to use port 22 for SSH connections. Since you've set up key authentication, rsync will use the key to authenticate without requiring a passphrase.

Guess you like

Origin blog.csdn.net/n5/article/details/130965092
Recommended
Arc Browser for Windows 1.0 officially GA
A programmer born in the 1990s developed a video porting software and made over 7 million in less than a year. The ending was very punishing!
Ranking
1. Select Sort
Create a thread thread
3 press to play ball that reach 6
Programmation CUDA (4) : gestion de la mémoire
SpringBoot database connection pool Druid error
E Diudiu App redesign summary
4EVERLAND Hosting now supports SNS+IPFS
About HTTPS
[vue3+vite+ts+element-plu+sass] uses bug records in sass
Interpretation of HUAWEI CLOUD GaussDB (for Influx): Best Practice Data Modeling
Daily
More
2024-05-03(8)
2024-05-02(0)
2024-05-01(4)
2024-04-30(36)
2024-04-29(5)
2024-04-28(12)
2024-04-27(29)
2024-04-26(22)
2024-04-25(32)
2024-04-24(30)

Code World

© 2018 codetd.com