ssh-free dense login, ssh-keygen usage

1 What is SSH

SSH Secure Shell is
an abbreviation, developed by the IETF web team (Network Working Group); it is built on the basis of application layer security protocol.

SSH is more reliable, designed to provide security protocol for remote login session, and other network services. SSH protocol can effectively prevent the use of remote management in the process of information disclosure issue.

SSH was originally a program on UNIX systems, and later quickly spread to other operating platforms.

In order to secure communication between different platforms / network hosts, many times we go through ssh
authentication ssh.
Authentication methods are mainly two kinds:

① based security authentication password: log in each time must enter a user name and password, due to the transmission of passwords, there may be risks on the network middleman attacks;

②-based security authentication key: after the configuration can be achieved avoid dense login, which is much more secure - no need to transfer the password on the network, you need only public transport a common way of ssh git is authenticated by the public key.
2 configured SSH login-free secret

Description: the server operating system is used here to demonstrate Cent OS 7. our goal is:
a server (172.16.22.131 ) Free energy density log server B (172.16.22.132).

Note: ssh connection is unidirectional, a log can avoid dense B, and B at the same time can not be achieved for Free density log A.
2.1 to install the necessary software

before the operation, first to ensure that the required software has been installed properly.

here we need to install ssh-keygen
and Copy-the above mentioned id-SSH
, installed as follows:

# Install ssh-keygen, need to ensure that servers can be networked bloggers here have been installed, so do not do anything..
[Root @ localhost ~] # yum -y install SSH-keygen
Loaded plugins: fastestmirror, the Langpacks
Base | 3.6 kB 00 : 00: 00     
EPEL | 3.6 kB 00:00:00     
Extras | 2.9 kB 00:00:00     
the Updates | 2.9 kB 00:00:00     
Loading Mirror SPEEDS from cached hostfile
No Package Penalty for SSH-keygen the Available.
Error: Nothing to do

# Copy-ID-mounted SSH
[the root @ localhost ~] # yum the install ID -Y SSH-Copy-
Loaded plugins: fastestmirror, Langpacks
Mirror SPEEDS cached hostfile from loading
. No Package Penalty for SSH-Copy-the above mentioned id the Available
Error: Nothing to do

2.2 SSH-keygen to create a public - private key pair

(1) generate rsa key in the specified directory, and specify a comment for "shoufeng" , an implementation example:

[the root @ localhost ~] # SSH-RSA keygen -t -f ~ / .ssh / id_rsa -C "shoufeng"
# ~ ~ key type and key file path name to feature information
Generating public / private rsa pair Key.
the enter passphrase (empty for NO passphrase): # password, if not directly enter enter
enter same passphrase again: # confirm the password, if not directly enter enter
Your identification has been saved in / root /. . SSH / id_rsa
Your public /root/.ssh/id_rsa.pub Key has been saved in.
of The Key Fingerprint IS:
. 9A: E3: 94: B9: 69: C8: E9: 68: 4B: DC: FA: 43 is: 25: 7F: 53: f1 shoufeng
at The Key's randomart Image IS:
+ - [the RSA 2048] ---- +
| |
. | |
| O |
... | E |
| + S. |
.. | = O .. |
. | Oo.oB. |
| ..o O + = |.
| ++ oo + |.
+ ----------------- +

Note: the file name of the key must be id_xxx, xxx here is -t parameter specified The key types such as key type is rsa, then the key file name must be id_rsa.

(2) SSH-keygen
common parameters:

-t: key type, you can choose dsa | ECDSA | ed25519 | rsa;

-f : key directory location, default is the current directory .ssh hidden under the user's home path, which is ~ / .ssh /
, while the default key file name id_rsa
beginning if the root user, then /root/.ssh/. id_rsa
, if the other users, then /home/username/.ssh/id_rsa
;

-C: Remarks specified information for this key, when the need to configure multiple Free density log, is recommended to carry;

-N: specify this key pair password, if you specify this parameter, the command execution process in the information exchange would not confirm the password appeared.

For example: specify directory location, password, annotation information, there is no need to complete the creation ENTER to:

SSH-RSA keygen -t -f ~ / .ssh / id_rsa shoufeng -C shoufeng -N

(. 3) to ~ /.ssh/
view the generated files directory:

# resulting file begins with test_rsa, test_rsa private key, test_rsa.pub is the public key:
[root @ localhost .ssh] # LS
test_rsa test_rsa.pub

# public view by the cat command key file:
[root @ localhost .ssh] # CAT id_rsa.pub
SSH-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC2JpLMqgeg9jB9ZztOCw0WMS8hdVpFxthqG1vOQTOji / cp0 + 8RUZl3P6NtzqfHbs0iTcY0ypIJGgx4eXyipfLvilV2bSxRINCVV73VnydVYl5gLHsrgOx + 372Wovlanq7Mxq06qAONjuRD0c64xqdJFKb1OvS / nyKaOr9D8yq / FxfwKqK7TzJM0cVBAG7 + YR8lc9tJTCypmNXNngiSlipzjBcnfT + 5VtcFSENfuJd60dmZDzrQTxGFSS2J34CuczTQSsItmYF3DyhqmrXL cJ2vjZWVZRU6IY7BpqJFWwfYY9m8KaL0PZ + + + JJuaU7ESVBXf6HJcQhYPp2bTUyff VDV shoufeng
# can see there is a final comment content shoufeng

2.3 ssh-copy-id sends the public key to B A

default usage is: ssh-copy-id [email protected]
, the default port when connecting the remote server ssh-copy-id command 22 is, of course, the file can be specified, remote host IP, user and port:

# specify to copy a local file, remote host user name + IP + port number:
[the root @ localhost .ssh] SSH-copy-ID # -i ~ / .ssh / id_rsa.pub 22 is [email protected] -p
/ usr / bin / SSH-Copy-ID: the INFO: Attempting to log in with new new Key The (S), to filter the any that are already Installed OUT
/ usr / bin / SSH-copy- ID: the INFO: Key. 1 (S) to bE Installed REMAIN - IF IT IS you are now to the install Prompted the new new Keys
[email protected]'s password: # enter a password, a public key copy

Number of key (s ) added:. 1

Now the try the logging INTO the Machine, with: "SSH -p '22 is' '[email protected]'"
and to the make Sure Check the Key that only (S) Wanted you were added.

2.4 in the server A Login B free secret server

[.ssh the root @ localhost] # SSH [email protected]
Last Login: Fri On Jun 14 08:46:04 2019 # successful login from 192.168.34.16: Smile:

. 3 described extended
3.1 otherwise sends the public key files

above step 2.3 by ssh-copy-id
sends the public key file tool, of course, we can also be achieved by other means:

(1) a public key file is sent to B:

the public key file via scp command a server is
sent to the server B user directories, because there has not been configured to log dense-free, so you need to enter server B during the corresponding user's password:

[root @ localhost .ssh] # scp id_rsa.pub [email protected]: /root/.ssh
[email protected] password apos .22.132:
id_rsa.pub 0.4kb 100% 390 / S 00:00

(2) create a file on authorized_keys B:

[the root @ localhost .ssh] # CD /root/.ssh/
[.ssh the root @ localhost ] # LS
id_rsa.pub
# generation "authorized_keys" file server's public key a:
[.ssh the root @ localhost] # CAT id_rsa.pub the authorized_keys >>
[.ssh the root @ localhost] # CAT the authorized_keys
SSH-RSA AAAAB3NzaC1yc2EAAAADAQABAAABAQC2JpLMqgeg9jB9ZztOCw0WMS8hdVpFxthqG1vOQTOji / CP0 + + 372Wovlanq7Mxq06qAONjuRD0c64xqdJFKb1OvS 8RUZl3P6NtzqfHbs0iTcY0ypIJGgx4eXyipfLvilV2bSxRINCVV73VnydVYl5gLHsrgOx / nyKaOr9D8yq / FxfwKqK7TzJM0cVBAG7 + + cJ2vjZWVZRU6IY7BpqJFWwfYY9m8KaL0PZ 5VtcFSENfuJd60dmZDzrQTxGFSS2J34CuczTQSsItmYF3DyhqmrXL YR8lc9tJTCypmNXNngiSlipzjBcnfT + + + JJuaU7ESVBXf6HJcQhYPp2bTUyff VDV shoufeng

Note: when using the redirection >>
be added, do not use>
, it will clear the original content.
3.2 file permissions

to allow public and private key file can play a role in the certification document, the need to ensure the correctness of privileges:

① for .ssh
directory and its internal public key, private key file, the current user must have at least execute permissions, other users can have up to execute permissions.

② Do not set the easy way to 777: too much unsafe permissions, and digital signature does not support this rights policy.

③ the average user, it is recommended to set permissions to 600: chmod 600 authorized_keys id_rsa id_rsa.pub
;

④ root user, it is recommended to set permissions to 644: chmod 644 authorized_keys id_rsa id_rsa.pub
.
3.3 file editing and viewing

in Liunx environment, if to view, copy the private, public, and authorized_keys and other documents, do not use an editor like vim open because it would create unnecessary carriage return;

should print the contents to the terminal through the cat, more, less, etc. View command, then make viewing, copying and other operations.