SSH key login

SSH uses password login by default. This method has many shortcomings. Simple passwords are not safe, complex passwords are not easy to remember, and it is troublesome to input manually each time. Key login is a better solution than password login.

What is the key

The key is a very large number, which is obtained through an encryption algorithm. Symmetric encryption requires only one key, and asymmetric encryption requires two keys to be used in pairs, divided into public key and private key.

SSH key login uses asymmetric encryption, and each user logs in with his own key. Among them, the private key must be kept privately and cannot be leaked; the public key is public and can be sent to the outside world. The relationship between them is that the public key and the private key have a one-to-one correspondence, and each private key has and only one corresponding public key, and vice versa.

If the data is encrypted with a public key, only the corresponding private key can be used for decryption, and other keys will not work; conversely, if the private key is used for encryption (this process is generally called "signature"), only the corresponding public key can be used for decryption. .

Key login process

SSH key login is divided into the following steps.

As a preliminary step, the client generates its own public key and private key through ssh-keygen.

The first step is to manually put the client's public key into the designated location of the remote server.

In the second step, the client initiates an SSH login request to the server.

In the third step, the server receives the user's SSH login request and sends some random data to the user, asking the user to prove his identity.

In the fourth step, the client receives the data sent by the server, signs the data with the private key, and then sends it back to the server.

In the fifth step, after the server receives the encrypted signature from the client, it uses the corresponding public key to decrypt it, and then compares it with the original data. If they are consistent, the user is allowed to log in.

ssh-key command: Generate key

Basic usage

When the key is logged in, you first need to generate a public key and a private key. OpenSSH provides a tool program ssh-keygen command to generate keys.

Enter ssh-keygen directly, the program will ask a series of questions, and then generate the key.

$ ssh-keygen

The usual practice is to use the -t parameter to specify the encryption algorithm of the key.

$ ssh-keygen -t dsa

In the above example, the -t parameter is used to specify the encryption algorithm of the key. Generally, the dsa algorithm or the rsa algorithm is selected. Note that there is no default value for this parameter.

After entering the above command, ssh-keygen will ask the user to answer some questions.

$ ssh-keygen -t dsa
Generating public/private dsa key pair.
Enter file in which to save the key (/home/username/.ssh/id_dsa): press ENTER
Enter passphrase (empty for no passphrase): ********
Enter same passphrase again: ********
Your identification has been saved in /home/username/.ssh/id_dsa.
Your public key has been saved in /home/username/.ssh/id_dsa.pub.
The key fingerprint is:
14:ba:06:98:a8:98:ad:27:b5:ce:55:85:ec:64:37:19 username@shell.isp.com

In the above example, after executing the ssh-keygen command, the first question will appear, asking for the file name of the key save, the default is the file ~/.ssh/id_dsa, this is the file name of the private key, corresponding The public key file ~/.ssh/id_dsa.pub is automatically generated. The user's key is generally placed in the .ssh directory of the home directory.

If the rsa algorithm is selected, the generated key files will be ~/.ssh/id_rsa (private key) and ~/.ssh/id_rsa.pub (public key) by default.

Then, there will be the second question, asking if you want to set up password protection (passphrase) for the private key file. In this case, even if the intruder gets the private key, he still needs to crack the password. If you do not want to set password protection for convenience, you can directly press the Enter key, and the password will be blank. You will be asked to enter the password again later, and the two entries must be consistent. Note that the English word "password" here is passphrase, which is to avoid confusion with the password word password of the Linux account, which means that this is not the password of the user's system account.

Finally, the private key and public key will be generated, and the fingerprint of the public key will be given on the screen, as well as the current user name and host name as a comment to identify the source of the key.

Both the public key file and the private key file are text files. You can use a text editor to view their contents. The content of the public key file is similar to the following.

ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAvpB4lUbAaEbh9u6HLig7amsfywD4fqSZq2ikACIUBn3GyRPfeF93l/
weQh702ofXbDydZAKMcDvBJqRhUotQUwqV6HJxqoqPDlPGUUyo8RDIkLUIPRyq
ypZxmK9aCXokFiHoGCXfQ9imUP/w/jfqb9ByDtG97tUJF6nFMP5WzhM= username@shell.isp.com

In the above example, the username@shell.isp.com at the end is the comment of the public key, which is used to identify different public keys and indicate which user (username) of which host (shell.isp.com) this is ) The public key is not required.

Note that the public key has only one line. Because it is too long, the display is divided into three lines.

The following command can list all public keys of the user.

$ ls -l ~/.ssh/id_*.pub

After the keys are generated, it is recommended to modify their permissions to prevent others from reading them.

$ chmod 600 ~/.ssh/id_rsa
$ chmod 600 ~/.ssh/id_rsa.pub

Configuration items

The command line configuration items of ssh-keygen mainly include the following.

(1)-b

The -b parameter specifies the number of bits in the key. The larger the value of this parameter, the more difficult it is to crack the key, but the computational overhead of encryption and decryption will increase.

Generally speaking, -b should be at least 1024, and it is safer to set it to 2048 or higher.

(2)-C

The -C parameter can specify a new comment for the key file in the format of username@host.

The following command generates a 4096-bit RSA encryption algorithm key pair, and gives the user name and host name.

$ ssh-keygen -t rsa -b 4096 -C "your_email@domain.com"

(3)-f

The -f parameter specifies the generated private key file.

$ ssh-keygen -t dsa -f mykey

The above command will generate the private key file mykey and the public key file mykey.pub in the current directory.

(4)-F

The -F parameter checks whether a hostname is in the known_hosts file.

$ ssh-keygen -F example.com

(5)-N

The -N parameter is used to specify the passphrase of the private key.

$ ssh-keygen -t dsa -N secretword

(6)-p

The -p parameter is used to re-specify the passphrase of the private key. The difference between it and -N is that the new password is not specified in the command, but entered after execution. ssh first asks for the old password, and then asks for the new password twice.

(7)-R

The -R parameter removes the specified host public key fingerprint out of the known_hosts file.

$ ssh-keygen -R example.com

(8)-t

The -t parameter is used to specify the encryption algorithm to generate the key, generally dsa or rsa

Manually upload the public key

After the key is generated, the public key must be uploaded to the server before the public key can be used to log in.

OpenSSH stipulates that the user's public key is stored in the server's ~/.ssh/authorized_keys file. With which user you want to log in to the server, the key must be saved in the file ~/.ssh/authorized_keys in the user's home directory. As long as the public key is added to this file, it is equivalent to uploading the public key to the server. Each public key occupies one line. If the file does not exist, you can create it manually.

The user can manually edit the file and paste the public key into it, or execute the following command on the local computer.

$ cat ~/.ssh/id_rsa.pub | ssh user@host "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys"

In the above example, user@host should be replaced with the username and host name you want to log in.

Note that the permissions of the authorized_keys file should be set to 644, that is, only the file owner can write. If the permissions are set incorrectly, the SSH server may refuse to read the file.

$ chmod 644 ~/.ssh/authorized_keys

As long as the public key is uploaded to the server, OpenSSH will automatically use the key to log in the next time you log in, without prompting for a password.

$ ssh -l username shell.isp.com
Enter passphrase for key'/home/you/.ssh/id_dsa': ************
Last login: Mon Mar 24 02:17:27 2014 from ex.ample.com
shell.isp.com>

In the above example, before using the private key, the SSH client will ask the user to enter a passphrase to unlock the private key.

ssh-copy-id command: automatically upload the public key

OpenSSH comes with a ssh-copy-id command, which can automatically copy the public key to the ~/.ssh/authorized_keys file of the remote server. If the ~/.ssh/authorized_keys file does not exist, the ssh-copy-id command will automatically create the file.

The user executes the following command on the local computer to copy the local public key to the server.

$ ssh-copy-id -i key_file user@host

In the above command, the -i parameter is used to specify the public key file, user is the name of the account to be logged in, and host is the server address. If the user name is omitted, it defaults to the current local user name. After executing this command, the public key will be copied to the server.

Note that the public key file does not need to specify the path and the .pub suffix name, and ssh-copy-id will automatically search for it in the ~/.ssh directory.

$ ssh-copy-id -i id_rsa user@host

In the above command, the public key file will be automatically matched to ~/.ssh/id_rsa.pub.

ssh-copy-id will log in with a password, and the system will prompt for the password of the remote server.

Note that ssh-copy-id directly adds the public key to the end of the authorized_keys file. If the end of the authorized_keys file is not a newline character, it will cause the new public key to be added to the end of the previous public key, and the two public keys are connected together, making them ineffective. Therefore, if the authorized_keys file already exists, before using the ssh-copy-id command, make sure that the end of the authorized_keys file is a newline (assuming the file already exists).

ssh-agent command, ssh-add command

Basic usage

After the password is set for the private key, the password must be entered every time it is used, which sometimes feels very troublesome. For example, when using the scp command to copy files remotely, the password is required every time.

The ssh-agent command is designed to solve this problem. It allows the user to enter the password only when using the SSH command for the first time in the entire Bash session (session), and then save the private key in the memory. There is no need to enter the password of the private key anymore.

The first step is to use the following command to create a new command line dialog.

$ ssh-agent bash

In the above command, if the command line environment you are using is not Bash, you can use other Shell commands instead. Such as zsh and fish.

If you want to enable ssh-agent in the current session, you can use the following command.

$ eval `ssh-agent`

In the above command, ssh-agent will automatically run in the background first, and output the environment variables that need to be set on the screen, similar to the following.

$ ssh-agent
SSH_AUTH_SOCK=/tmp/ssh-barrett/ssh-22841-agent; export SSH_AUTH_SOCK;
SSH_AGENT_PID=22842; export SSH_AGENT_PID;
echo Agent pid 22842;

The function of the eval command is to run the output of the above ssh-agent command and set environment variables.

In the second step, in the newly created Shell dialog, use the ssh-add command to add the default private key (such as ~/.ssh/id_rsa, or ~/.ssh/id_dsa, or ~/.ssh /id_ecdsa, or ~/.ssh/id_ed25519).

$ ssh-add
Enter passphrase for /home/you/.ssh/id_dsa: ********
Identity added: /home/you/.ssh/id_dsa (/home/you/.ssh/id_dsa)

In the above example, when adding a private key, a password will be required. In the future, when the key is used in this conversation, there is no need to enter the password of the private key, because the private key has already been loaded into the memory.

If you are not adding the default private key, the ssh-add command needs to explicitly specify the private key file.

$ ssh-add my-other-key-file

In the above command, my-other-key-file is the private key file specified by the user.

The third step is to use the ssh command to log in to the remote server normally.

$ ssh remoteHost

In the above command, remoteHost is the address of the remote server, and ssh uses the default private key. At this time, if the private key has a password, ssh will no longer ask for the password, but directly take out the private key in the memory.

If you want to use another private key to log in to the server, you need to use the -i parameter of the ssh command to specify the private key file.

$ ssh –i OpenSSHPrivateKey remoteHost

Finally, if you want to exit ssh-agent, you can directly exit the sub-Shell (press Ctrl + d), or you can use the following command.

$ ssh-agent -k

ssh-add command

The ssh-add command is used to add the private key to ssh-agent, it has the following parameters.

(1)-d

The -d parameter deletes the specified private key from the memory.

$ ssh-add -d name-of-key-file

(2)-D

The -D parameter deletes all private keys that have been added from the memory.

$ ssh-add -D

(3)-l

The -l parameter lists all the private keys that have been added.

$ ssh-add -l

Turn off password login

For security, after enabling key login, it is best to turn off the server's password login.

For OpenSSH, the specific method is to open the configuration file /etc/ssh/sshd_config of the server sshd and set the item PasswordAuthentication to no.

PasswordAuthentication no

After modifying the configuration file, do not forget to restart sshd, otherwise it will not take effect.