Install OpenSSH on Windows and log in to the Linux server by generating an SSH key

The full name of SSH is Secure SHell. By using SSH, you can encrypt all transmitted data, making "man-in-the-middle" attacks impossible, and also preventing DNS and IP spoofing. An additional benefit is that the transmitted data is compressed, so the transmission speed can be accelerated. SSH has many functions. It can replace telnet and provide a secure "channel" for ftp, pop, and even ppp.

SSH was originally developed by a company in Finland. However, due to copyright and encryption algorithm restrictions, many people now use OpenSSH

OpenSSH is an open source version of the SSH protocol (SSH: Secure SHell).

Today I will introduce how to install OpenSSH in Windows and generate keys using the ssh-keygen command;

1. Download OpenSSH

2. Install OpenSSH

1. Language selection: Chinese and English are both acceptable

Next step

"Accept Agreement" to continue

Here, because we are using SSH to connect to Linux, we only need the client, and cancel the "Server" option.

Complete openssh installation under Windows

3. Test whether SSH is installed successfully

Enter the windows command line tool, enter the ssh command, and the following information appears, indicating that our installation is successful

4. Use the ssh-keygen command to generate a key pair (public key and corresponding private key)

The specific parameters of ssh-keygen are as follows:

-a trials
The basic number of tests to perform when screening DH-GEX prime candidates for security using -T.
-B Displays the bubblebabble digest of the specified public/private key file.
-b bits
Specify the key length. For RSA keys, the minimum requirement is 768 bits, and the default is 2048 bits. DSA keys must be exactly 1024 bits (a requirement of the FIPS 186-2 standard).
-C comment
Provide a new comment
-c Requests modification of comments in private and public key files. This option is only supported for RSA1 keys.
The program will prompt for the private key file name, passphrase (if one exists), and new comment.
-D reader
Download the RSA public key stored in the smart card reader.
-e Read an OpenSSH private or public key file and display it on stdout in the RFC 4716 SSH public key file format.
This option can export keys for various commercial versions of SSH.
-F hostname
Searches the known_hosts file for the specified hostname and lists all matches.
This option is mainly used to find hashed hostnames/IP addresses. It can also be used in conjunction with the -H option to print the hash value of the found public key.
-f filename
Specify the key file name.
-G output_file
Generate candidate prime numbers for DH-GEX. These prime numbers must be screened for safety using the -T option before use.
-g Use the generic DNS format when printing fingerprint resource records with -r.
-H Hash the known_hosts file. This will replace all hostnames/ip addresses in the file with the corresponding hashed values.
The contents of the original file will be saved with a ".old" suffix added. These hashes can only be used by ssh and sshd.
This option will not modify already hashed hostnames/ip addresses, so it can be safely used on files where some public keys have already been hashed.
-i Read an unencrypted SSH-2 compatible private/public key file and display an OpenSSH compatible private/public key on stdout.
This option is mainly used to import keys from various commercial versions of SSH.
-l Displays the fingerprint data of the public key file. It also supports RSA1 private keys.
For RSA and DSA keys, the corresponding public key file will be found and its fingerprint data will be displayed.
-M memory
Specifies the maximum amount of memory (in MB) to use when generating DH-GEXS prime candidates.
-N new_passphrase
Provide a new secret phrase.
-P passphrase
Provide the (old) secret phrase.
-p Requests changing the password of a private key file without rebuilding the private key. The program will prompt for the private key file name, the original passphrase, and two new passphrases.
-q Quiet mode. Used when creating new keys in /etc/rc.
-R hostname
Delete all keys belonging to hostname from the known_hosts file.
This option is mainly used to delete the keys of hashed hosts (see the -H option).
-r hostname
Print the SSHFP fingerprint resource record for the public key file named hostname.
-S start
Specifies the starting point (in hexadecimal) when generating DH-GEX candidate moduli.
-T output_file
Tests the security of the Diffie-Hellman group exchange prime candidates (generated with the -G option).
-t type
Specifies the type of key to create. You can use: "rsa1" (SSH-1) "rsa" (SSH-2) "dsa" (SSH-2)
-U reader
Upload the existing RSA private key to the smart card reader
-v Verbose mode. ssh-keygen will output detailed debugging information about the process. Often used to debug the modulus generation process.
Repeating the -v option multiple times will increase the verbosity of the information (maximum 3 times).
-W generator
Specifies the generator you want to use when testing candidate moduli for DH-GEX
-y Read a public key file in OpenSSH proprietary format and display the OpenSSH public key on stdout.

The parameters we commonly use are basically the following:

-t: Specifies the type of key to create. You can use: "rsa1" (SSH-1) "rsa" (SSH-2) "dsa" (SSH-2); the default is RSA

-b: Specifies the key length. For RSA keys, the minimum requirement is 768 bits, and the default is 2048 bits. DSA keys must be exactly 1024 bits (a requirement of the FIPS 186-2 standard).

-f : Specify the key file name

-C: Specify key comment

Enter "ssh-keygen -t rsa -b 4096 -C "192.168.1.1"" in the command line tool. The following information is prompted. Here I set the key bit number to 4096. The default is 2048.

Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.

C:\Users\Administrator>ssh-keygen -t rsa -b 4096 -C "192.168.1.1"
Generating public/private rsa key pair.
Enter file in which to save the key (/home/Administrator1/.ssh/id_rsa): key #Enter the file name here. Windows requires input. If you do not enter it, an error will occur. Enter passphrase (empty for no passphrase): #Enter the key passphrase, which can be understood as the key password. You do not need to enter it. Enter same passphrase again: #Enter the key password again. Your identification has been saved in key.
Your public key has been saved in key.pub.
The key fingerprint is:
SHA256:Ke9MH5QsT19TJqQgimryAn27Vp+MuIFeIff/2VL6hQE 192.168.1.1
The key's randomart image is:
+---[RSA 4096]----+
| . . . |
| . . . . o |
| . . E . . o|
| . . oo + |
|o = + . S = . o |
|.+ = +.o = ..+ . |
|. o +o.+o.ooo . |
| o .oo.=+.o+ . |
| ..o. +.+oo |
+----[SHA256]-----+

C:\Users\Administrator>

After completion, open the current user directory to see if there is a key file that has just been generated. In fact, there should be two files. key is the private key and key.pub is the public key.

My current user directory is "C:\Users\Administrator", which may be different from yours

5. Linux server SSH settings

After generating the key pair, you also need to upload the public key, the key.pub file we just generated, to the Linux server

Note: The upload location is the .ssh directory in the home directory of the user we log in to Linux

If the directory does not exist, you need to create the ~/.ssh directory and set the directory permissions to 700).

Rename the public key to authorized_keys and set its user permissions to 600

For example: /root/.ssh/

Then rename the key.pub file we uploaded to: authorized_keys

[root@server ~]# mv key.pub authorized_keys
[root@server ~]# chmod 700 .ssh
[root@server ~]# chmod 600 authorized_keys

OK, now you can use SSH keys to connect to the Linux server

If you fail to connect, please check that the permissions on the .ssh directory and the authorized_keys file are correct.

For more articles about SSH connection to Linux server, please check the following related articles