SSH key login
SSH uses password login by default. This method has many shortcomings. Simple passwords are not safe, complex passwords are not easy to remember, and it is troublesome to input manually each time. Key login is a better solution than password login.
What is the key
The key is a very large number, which is obtained through an encryption algorithm. Symmetric encryption requires only one key, and asymmetric encryption requires two keys to be used in pairs, divided into public key and private key.
SSH key login uses asymmetric encryption, and each user logs in with his own key. Among them, the private key must be kept privately and cannot be leaked; the public key is public and can be sent to the outside world. The relationship between them is that the public key and the private key have a one-to-one correspondence, and each private key has and only one corresponding public key, and vice versa.
If the data is encrypted with a public key, only the corresponding private key can be used for decryption, and other keys will not work; conversely, if the private key is used for encryption (this process is generally called "signature"), only the corresponding public key can be used for decryption. .
Key login process
SSH key login is divided into the following steps.
As a preliminary step, the client generates its own public key and private key through
The first step is to manually put the client's public key into the designated location of the remote server.
In the second step, the client initiates an SSH login request to the server.
In the third step, the server receives the user's SSH login request and sends some random data to the user, asking the user to prove his identity.
In the fourth step, the client receives the data sent by the server, signs the data with the private key, and then sends it back to the server.
In the fifth step, after the server receives the encrypted signature from the client, it uses the corresponding public key to decrypt it, and then compares it with the original data. If they are consistent, the user is allowed to log in.
ssh-key command: Generate key
When the key is logged in, you first need to generate a public key and a private key. OpenSSH provides a tool program
ssh-keygen command to generate keys.
ssh-keygen directly, the program will ask a series of questions, and then generate the key.
The usual practice is to use the
-t parameter to specify the encryption algorithm of the key.
$ ssh-keygen -t dsa
In the above example, the
-t parameter is used to specify the encryption algorithm of the key. Generally, the
dsa algorithm or the
rsa algorithm is selected. Note that there is no default value for this parameter.
After entering the above command,
ssh-keygen will ask the user to answer some questions.
$ ssh-keygen -t dsa Generating public/private dsa key pair. Enter file in which to save the key (/home/username/.ssh/id_dsa): press ENTER Enter passphrase (empty for no passphrase): ******** Enter same passphrase again: ******** Your identification has been saved in /home/username/.ssh/id_dsa. Your public key has been saved in /home/username/.ssh/id_dsa.pub. The key fingerprint is: 14:ba:06:98:a8:98:ad:27:b5:ce:55:85:ec:64:37:19 email@example.com
In the above example, after executing the
ssh-keygen command, the first question will appear, asking for the file name of the key save, the default is the file
~/.ssh/id_dsa, this is the file name of the private key, corresponding The public key file
~/.ssh/id_dsa.pub is automatically generated. The user's key is generally placed in the
.ssh directory of the home directory.
rsa algorithm is selected, the generated key files will be
~/.ssh/id_rsa (private key) and
~/.ssh/id_rsa.pub (public key) by default.
Then, there will be the second question, asking if you want to set up password protection (passphrase) for the private key file. In this case, even if the intruder gets the private key, he still needs to crack the password. If you do not want to set password protection for convenience, you can directly press the Enter key, and the password will be blank. You will be asked to enter the password again later, and the two entries must be consistent. Note that the English word "password" here is passphrase, which is to avoid confusion with the password word password of the Linux account, which means that this is not the password of the user's system account.
Finally, the private key and public key will be generated, and the fingerprint of the public key will be given on the screen, as well as the current user name and host name as a comment to identify the source of the key.
Both the public key file and the private key file are text files. You can use a text editor to view their contents. The content of the public key file is similar to the following.
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAvpB4lUbAaEbh9u6HLig7amsfywD4fqSZq2ikACIUBn3GyRPfeF93l/ weQh702ofXbDydZAKMcDvBJqRhUotQUwqV6HJxqoqPDlPGUUyo8RDIkLUIPRyq ypZxmK9aCXokFiHoGCXfQ9imUP/w/jfqb9ByDtG97tUJF6nFMP5WzhM= firstname.lastname@example.org
In the above example, the
email@example.com at the end is the comment of the public key, which is used to identify different public keys and indicate which user (
username) of which host (shell.isp.com
) this is ) The public key is not required.
Note that the public key has only one line. Because it is too long, the display is divided into three lines.
The following command can list all public keys of the user.
$ ls -l ~/.ssh/id_*.pub
After the keys are generated, it is recommended to modify their permissions to prevent others from reading them.
$ chmod 600 ~/.ssh/id_rsa $ chmod 600 ~/.ssh/id_rsa.pub
The command line configuration items of
ssh-keygen mainly include the following.
-b parameter specifies the number of bits in the key. The larger the value of this parameter, the more difficult it is to crack the key, but the computational overhead of encryption and decryption will increase.
-b should be at least
1024, and it is safer to set it to
2048 or higher.
-C parameter can specify a new comment for the key file in the format of
The following command generates a 4096-bit RSA encryption algorithm key pair, and gives the user name and host name.
$ ssh-keygen -t rsa -b 4096 -C "firstname.lastname@example.org"
-f parameter specifies the generated private key file.
$ ssh-keygen -t dsa -f mykey
The above command will generate the private key file
mykey and the public key file
mykey.pub in the current directory.
-F parameter checks whether a hostname is in the
$ ssh-keygen -F example.com
-N parameter is used to specify the passphrase of the private key.
$ ssh-keygen -t dsa -N secretword
-p parameter is used to re-specify the passphrase of the private key. The difference between it and
-N is that the new password is not specified in the command, but entered after execution. ssh first asks for the old password, and then asks for the new password twice.
-R parameter removes the specified host public key fingerprint out of the
$ ssh-keygen -R example.com
-t parameter is used to specify the encryption algorithm to generate the key, generally
Manually upload the public key
After the key is generated, the public key must be uploaded to the server before the public key can be used to log in.
OpenSSH stipulates that the user's public key is stored in the server's
~/.ssh/authorized_keys file. With which user you want to log in to the server, the key must be saved in the file
~/.ssh/authorized_keys in the user's home directory. As long as the public key is added to this file, it is equivalent to uploading the public key to the server. Each public key occupies one line. If the file does not exist, you can create it manually.
The user can manually edit the file and paste the public key into it, or execute the following command on the local computer.
$ cat ~/.ssh/id_rsa.pub | ssh user@host "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys"
In the above example,
user@host should be replaced with the username and host name you want to log in.
Note that the permissions of the
authorized_keys file should be set to
644, that is, only the file owner can write. If the permissions are set incorrectly, the SSH server may refuse to read the file.
$ chmod 644 ~/.ssh/authorized_keys
As long as the public key is uploaded to the server, OpenSSH will automatically use the key to log in the next time you log in, without prompting for a password.
$ ssh -l username shell.isp.com Enter passphrase for key'/home/you/.ssh/id_dsa': ************ Last login: Mon Mar 24 02:17:27 2014 from ex.ample.com shell.isp.com>
In the above example, before using the private key, the SSH client will ask the user to enter a passphrase to unlock the private key.
ssh-copy-id command: automatically upload the public key
OpenSSH comes with a
ssh-copy-id command, which can automatically copy the public key to the
~/.ssh/authorized_keys file of the remote server. If the
~/.ssh/authorized_keys file does not exist, the
ssh-copy-id command will automatically create the file.
The user executes the following command on the local computer to copy the local public key to the server.
$ ssh-copy-id -i key_file user@host
In the above command, the
-i parameter is used to specify the public key file,
user is the name of the account to be logged in, and
host is the server address. If the user name is omitted, it defaults to the current local user name. After executing this command, the public key will be copied to the server.
Note that the public key file does not need to specify the path and the
.pub suffix name, and
ssh-copy-id will automatically search for it in the
$ ssh-copy-id -i id_rsa user@host
In the above command, the public key file will be automatically matched to
ssh-copy-id will log in with a password, and the system will prompt for the password of the remote server.
ssh-copy-id directly adds the public key to the end of the
authorized_keys file. If the end of the
authorized_keys file is not a newline character, it will cause the new public key to be added to the end of the previous public key, and the two public keys are connected together, making them ineffective. Therefore, if the
authorized_keys file already exists, before using the
ssh-copy-id command, make sure that the end of the
authorized_keys file is a newline (assuming the file already exists).
ssh-agent command, ssh-add command
After the password is set for the private key, the password must be entered every time it is used, which sometimes feels very troublesome. For example, when using the
scp command to copy files remotely, the password is required every time.
ssh-agent command is designed to solve this problem. It allows the user to enter the password only when using the SSH command for the first time in the entire Bash session (session), and then save the private key in the memory. There is no need to enter the password of the private key anymore.
The first step is to use the following command to create a new command line dialog.
$ ssh-agent bash
In the above command, if the command line environment you are using is not Bash, you can use other Shell commands instead. Such as
If you want to enable
ssh-agent in the current session, you can use the following command.
$ eval `ssh-agent`
In the above command,
ssh-agent will automatically run in the background first, and output the environment variables that need to be set on the screen, similar to the following.
$ ssh-agent SSH_AUTH_SOCK=/tmp/ssh-barrett/ssh-22841-agent; export SSH_AUTH_SOCK; SSH_AGENT_PID=22842; export SSH_AGENT_PID; echo Agent pid 22842;
The function of the
eval command is to run the output of the above
ssh-agent command and set environment variables.
In the second step, in the newly created Shell dialog, use the
ssh-add command to add the default private key (such as
~/.ssh /id_ecdsa, or
$ ssh-add Enter passphrase for /home/you/.ssh/id_dsa: ******** Identity added: /home/you/.ssh/id_dsa (/home/you/.ssh/id_dsa)
In the above example, when adding a private key, a password will be required. In the future, when the key is used in this conversation, there is no need to enter the password of the private key, because the private key has already been loaded into the memory.
If you are not adding the default private key, the
ssh-add command needs to explicitly specify the private key file.
$ ssh-add my-other-key-file
In the above command,
my-other-key-file is the private key file specified by the user.
The third step is to use the ssh command to log in to the remote server normally.
$ ssh remoteHost
In the above command,
remoteHost is the address of the remote server, and ssh uses the default private key. At this time, if the private key has a password, ssh will no longer ask for the password, but directly take out the private key in the memory.
If you want to use another private key to log in to the server, you need to use the
-i parameter of the ssh command to specify the private key file.
$ ssh –i OpenSSHPrivateKey remoteHost
Finally, if you want to exit
ssh-agent, you can directly exit the sub-Shell (press Ctrl + d), or you can use the following command.
$ ssh-agent -k
ssh-add command is used to add the private key to
ssh-agent, it has the following parameters.
-d parameter deletes the specified private key from the memory.
$ ssh-add -d name-of-key-file
-D parameter deletes all private keys that have been added from the memory.
$ ssh-add -D
-l parameter lists all the private keys that have been added.
$ ssh-add -l
Turn off password login
For security, after enabling key login, it is best to turn off the server's password login.
For OpenSSH, the specific method is to open the configuration file
/etc/ssh/sshd_config of the server sshd and set the item
After modifying the configuration file, do not forget to restart sshd, otherwise it will not take effect.