Linux configuration SSH password-free login "ssh-keygen" basic usage

1 What is SSH

Quoting Baidu Encyclopedia:

SSH is the abbreviation of Secure Shell, which was developed by the Network Working Group of IETF. It is a security protocol based on the application layer.

SSH is currently the most reliable protocol designed to provide security for remote login sessions and other network services. Using the SSH protocol can effectively prevent information leakage during remote management.

SSH was originally a program on UNIX systems and later quickly expanded to other operating platforms.

In order to ensure the security of communication between different platforms/network hosts, we often need to authenticate through ssh. There are two main ssh authentication methods:

① Password-based security authentication: You must enter your username and password every time you log in. Since the password needs to be transmitted over the network, there may be a risk of man-in-the-middle attacks;
② Key-based security authentication: After the configuration is completed, you can log in without a password. This method is more secure - there is no need to pass a password on the network, only the public key needs to be transmitted once. The common git ssh method is authenticated by public key.

2 Configure SSH password-free login

Note: The server operating system used in this demonstration is Cent OS 7. Our goals are:

Server A (172.16.22.131) can log in to Server B (172.16.22.132) without a password.

Note: ssh connection is one-way, A can log in to B without password, but B cannot log in to A without password at the same time.

2.1 Installing required software

Before operation, make sure the required software has been installed properly.

Here we need to install ssh-keygen and ssh-copy-id , the installation method is as follows:

# Install ssh-keygen. Make sure the server can connect to the Internet. I have already installed it, so I don't need to do anything.
[root@localhost ~]# yum install -y ssh-keygen
Loaded plugins: fastestmirror, langpacks
base | 3.6 kB 00:00:00  
epel | 3.6 kB 00:00:00  
extras | 2.9 kB 00:00:00  
updates | 2.9 kB 00:00:00  
Loading mirror speeds from cached hostfile
No package ssh-keygen available.
Error: Nothing to do

# Install ssh-copy-id
[root@localhost ~]# yum install -y ssh-copy-id 
Loaded plugins: fastestmirror, langpacks
Loading mirror speeds from cached hostfile
No package ssh-copy-id available.
Error: Nothing to do

2.2 ssh-keygen creates a public-private key pair

(1) Generate an RSA key in the specified directory and specify the comment as "shoufeng". Implementation example:

[root@localhost ~]# ssh-keygen -t rsa -f ~/.ssh/id_rsa -C "shoufeng"
# ~Key type~Key file path and name~Remarks Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase): # Enter the password, or press Enter if you do not want to enter Enter same passphrase again: # Confirm the password again, or press Enter if you do not want to enter Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
9a:e3:94:b9:69:c8:e9:68:4b:dc:fa:43:25:7f:53:f1 shoufeng
The key's randomart image is:
+--[RSA 2048]----+
| |
| . |
| o |
| . . . E |
| + S. |
| . .. .=o |
|oo.oB. . |
| ..o=o.+ |
| .++oo+ |
+-----------------+

Note: The key file name must be id_xxx, where xxx is the key type specified by the -t parameter. For example, if the key type is rsa, then the key file name must be id_rsa.

(2) Description of common parameters of ssh-keygen:

-t: key type, you can choose dsa | ecdsa | ed25519 | rsa;

-f: key directory location, the default is the .ssh hidden directory under the current user's home path, that is, ~/.ssh/, and the default key file name starts with id_rsa. If it is the root user, it is in /root/.ssh/id_rsa, if it is other users, it is in /home/username/.ssh/id_rsa;

-C: specifies the remark information of this key. It is recommended to carry it when you need to configure multiple password-free logins;

-N: Specifies the password for this key pair. If this parameter is specified, there will be no interactive confirmation password information during command execution.

For example: Specify the directory location, password, and comment information at the same time, and you don't need to press Enter to complete the creation:

ssh-keygen -t rsa -f ~/.ssh/id_rsa -N shoufeng -C shoufeng

(3) Go to the ~/.ssh/ directory to view the generated files:

# The generated file starts with test_rsa, test_rsa is the private key, test_rsa.pub is the public key:
[root@localhost .ssh]# ls
test_rsa test_rsa.pub

# View the public key file through the cat command: 
[root@localhost .ssh]# cat id_rsa.pub 
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC2JpLMqgeg9jB9ZztOCw0WMS8hdVpFxthqG1vOQTOji/cp0+8RUZl3P6NtzqfHbs0iTcY0ypIJGgx4eXyipfLvilV2bSxRINCVV73VnydVYl5gLHsrgOx+372Wovlanq7Mxq06qAONjuRD0c64xqdJFKb1OvS/nyKaOr9D8yq/FxfwKqK7TzJM0cVBAG7+YR8lc9tJTCypmNXNngiSlipzjBcnfT+5VtcFSENfuJd60dmZDzrQTxGFSS2J34CuczTQSsItmYF3DyhqmrXL+cJ2vjZWVZRU6IY7BpqJFWwfYY9m8KaL0PZ+JJuaU7ESVBXf6HJcQhYPp2bTUyff+vdV shoufeng
# You can see that there is a comment at the end shoufeng

2.3 ssh-copy-id sends A's public key to B

The default usage is: ssh-copy-id [email protected]. The default port of the ssh-copy-id command when connecting to the remote server is 22. Of course, you can specify the file, remote host IP, user and port:

# Specify the local file to be copied, the remote host's IP+user name+port number:
[root@localhost .ssh]# ssh-copy-id -i ~/.ssh/id_rsa.pub -p 22 [email protected]
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
[email protected]'s password: # After entering the password, the public key will be copied Number of key(s) added: 1

Now try logging into the machine, with: "ssh -p '22' '[email protected]'"
and check to make sure that only the key(s) you wanted were added.

2.4 Log in to server B from server A without password

[root@localhost .ssh]# ssh [email protected]
Last login: Fri Jun 14 08:46:04 2019 from 192.168.34.16 # Login successful😄

3 Extended description

3.1 Other ways to send public key files

The above 2.3 step is to send the public key file through the ssh-copy-id tool. Of course, we can also achieve it in other ways:

(1) Send A's public key file to B:

Use the scp command to send the public key file of server A to the user directory of server B. Because the password-free login has not been successfully configured, you need to enter the password of the corresponding user of server B:

[root@localhost .ssh]# scp id_rsa.pub [email protected]:/root/.ssh 
[email protected]'s password: 
id_rsa.pub 100% 390 0.4KB/s 00:00

(2) Create the authorized_keys file on B:

[root@localhost .ssh]# cd /root/.ssh/
[root@localhost .ssh]# ls
id_rsa.pub
# Generate the "authorized_keys" file using the public key of server A:
[root@localhost .ssh]# cat id_rsa.pub >> authorized_keys
[root@localhost .ssh]# cat authorized_keys 
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC2JpLMqgeg9jB9ZztOCw0WMS8hdVpFxthqG1vOQTOji/cp0+8RUZl3P6NtzqfHbs0iTcY0ypIJGgx4eXyipfLvilV2bSxRINCVV73VnydVYl5gLHsrgOx+372Wovlanq7Mxq06qAONjuRD0c64xqdJFKb1OvS/nyKaOr9D8yq/FxfwKqK7TzJM0cVBAG7+YR8lc9tJTCypmNXNngiSlipzjBcnfT+5VtcFSENfuJd60dmZDzrQTxGFSS2J34CuczTQSsItmYF3DyhqmrXL+cJ2vjZWVZRU6IY7BpqJFWwfYY9m8KaL0PZ+JJuaU7ESVBXf6HJcQhYPp2bTUyff+vdV shoufeng

Note: Use >> to append the above redirection, do not use >, which will clear the original content.

3.2 File Permissions

In order for the private key file and the public key file to work in authentication, you need to ensure the correctness of the permissions:

① For the .ssh directory and the public and private key files in it, the current user must have at least execute permission, and other users can only have execute permission at most.

② Don’t set permissions to 777 for the sake of convenience: too much permissions are unsafe, and digital signatures do not support this permission strategy.

③ For ordinary users, it is recommended to set the permission to 600: chmod 600 authorized_keys id_rsa id_rsa.pub;

④ For the root user, it is recommended to set the permission to 644: chmod 644 authorized_keys id_rsa id_rsa.pub.

3.3 Editing and viewing files

In the Liunx environment, if you want to view or copy private keys, public keys, and authorized_keys files, do not use editors such as vim to open them, as it will generate unnecessary carriage returns;

You should use cat, more, less and other viewing commands to print the content to the terminal, and then view, copy and other operations.

Summarize

The above is the basic usage of "ssh-keygen" for configuring SSH password-free login in Linux introduced by the editor. I hope it will be helpful to everyone. If you have any questions, please leave me a message and the editor will reply to you in time. I would also like to thank everyone for their support of the 123WORDPRESS.COM website!
If you find this article helpful, please feel free to reprint it and please indicate the source. Thank you!