There are some Chinese articles about establishing Linux ssh trust on the Internet, but they are not very detailed. Here, all aspects of information are summarized, and the method of establishing multi-machine trust relationship is explained clearly (text/Chen Yunwen)
The basic operation of establishing trust relationship
The basic scenario is to log in directly from one Server to another. Or directly copy the data of the Server Server to the Client server without password verification. Hereinafter, we will refer to the server as S (the data file to be sent is on this server) and the Client service as C. The simplest operation method of the trust relationship is as follows:
1 On the S server, enter the hidden directory. ssh in the root directory of the current user. The command is as follows:
cd ~/.ssh
(note: click before the directory name "."indicates that the folder is a special hidden folder, which is invisible by default under the ls command, and is observed through the ls -a command)
2 Generate the private key and public key of the S server:
ssh-keygen -t rsa
(. The introduction of rsa and dsa algorithms can be found in the second half of this article)
ssh-keygen generates keys for trust relationship generation
- Gene Rating Public/Private Keypair will be displayed at this time, and the storage path and file name of the generated public and private key files will be prompted. By default, it is put in a file like /home/username/.ssh/id_rsa. Usually, you don't need to change it, just enter
and then enter pass phrase (empty for no pass phrase): usually you enter directly, by default, you don't need a password
Enter same passphrase again: you also enter directly
, and then you will explicitly key fingerprint to generate a good prompt. At this time, in the. ssh directory ls, you can see the generated private key file id_rsa and public key file id_rsa.pub
The following are various supplementary explanations:
Note 1: If id_rsaalready exists is prompted at this time, Overwrite(y/n) means that someone has built the key before. At this time, just choose N to ignore this operation and you can directly use the previously generated file. Of course, it doesn't hurt to choose y to cover it
Note 2: The public key is used for encryption, and it is open to everyone (pub is the abbreviation of public word); The private key is used for decryption, and only the receiver of the ciphertext holds it.
3 loading the private key file on the Server
is still in the. ssh directory. Execute the command:
ssh-add id_rsa
if prompted: Identity added: id_rsa (id_rsa). It means that the loading is successful
There are several exceptions to handle:
- If the system prompts: Could not open a connection to your authentication agent
, you need to execute the command:
ssh-agent bash
and then execute the above ssh-add id_rsa command
. –If the system prompts id_rsa: No such file or directory
this is that the system cannot find the private key file id_rsa, you need to check whether the current path is not in the. ssh directory or the private key file has changed its name, for example, if it is changed to aa_rsa when it is created, Then you need to change
in the command here.-If the system prompts command not found, you must have typed the wrong character in your command.-Prompt Agent admitted failure to sign using the key, and the private key has not been loaded successfully. Retry ssh-add
- be careful not to delete the id_rsa/id_rsa.pub file, and store it in the. ssh directory
4 Copying the public key to the Client server
is very simple, for example, scp ID _ RSA.pubuser @ 1.11.xx.xx: ~
5 SSH login to the Client server. Append the contents of the public key to the end of the authorized_keys file (this file is also under the hidden folder. ssh, and it doesn't matter if it isn't)
cat id_rsa.pub > > ~/.ssh/authorized_keys
The following are various supplementary explanations, which can be referred to when encountering problems:
Note 1: It is not recommended to overwrite files here. Some tutorials directly copy scp id_rsa.pub to the authorized_keys file of the Client server, which will destroy the data of other trust relationships previously built, so appending to the end is a more reliable way;
note 2: after the cat is finished, the id_rsa.pub file just copied on the Client server is unnecessary, and it can be deleted or moved to other places)
note 3: ssh-keygen command can specify the length of the generated key file through the -b parameter, if it is not specified, it will default to 124, and if ssh-keygen -b 496 (the longest is 496). For general applications, the default length is sufficient. In case of rsa encryption, the shortest length is 768 byte
Note 4: Permission of 4:authorized_keys file. If you still need to verify the password after establishing the relationship according to the above steps, and there are no other errors, you need to check the permissions of the authorized_keys file, and you need to make some changes: chmod g-w authorized_keys
OK. Now try to copy a file from the Server to the Client server, and it should be passed directly without interaction.
however, at this time, password authentication is still needed to transfer data from the Client to the Server. If two servers need to be able to directly transfer data to each other, just follow the above steps in reverse
2. Methods to delete the trust relationship between servers
If you want to cancel the trust relationship between two servers, it is useless to delete the public key or private key directly, and you need to open the ~/.ssh/ authorized_keys file on the Client server. Find the public key field of the corresponding Server and delete
The words ssh-rsa are at the beginning of each paragraph, and the account number and ip of the server server are at the end of each paragraph (the red box in the figure below). Need to carefully find and delete the whole key file content and delete the trust relationship between Linux servers
Three possible situations and handling methods
- Prompt Port 22: Connection Rejected
Possible reasons: the latest openssh-server is not installed correctly. The installation method is as follows:
sudo apt-get install OpenSSH-server
If apt installation is not supported, you can download it manually:
wget ftp.ssh.com/pub/ssh/ssh-3.2.9.1.tar.gz
-permission settings for directories and files
. The permissions of ssh directory must be 7. At the same time, the authority of the private key of this machine must be set to 6:
chmod 6 ID _ rsa
Otherwise, the ssh server will refuse to log in
4 About RSA and DSA encryption algorithms
In the ssh-keygen command, the encryption algorithm is specified after the -t parameter, so you can choose RSA or dsa
RSA is named after the three authors of the algorithm, Ron Rivest. Adi Shamir, and Leonard Adleman's initials, as an asymmetric encryption algorithm, RSA's security is based on the extremely difficult large integer decomposition (the reduction of the product of two prime numbers). There are many articles about the principle of RSA algorithm, and interested friends can find and read them.
DSA = digital signature algorithm, based on discrete logarithm problem in finite field, is a variant of signature algorithm of Schnorr and ElGamal, which is generally used for digital signature and authentication, and has been adopted DSS(Digital Signature Standard DSS by NIST. Based on discrete logarithms computing.
DES = digital encryption standard. Obsolete standard.
RSA algorithm is easy to realize key management in the network, so it is digitally signed. The algorithm is complex, the encryption/decryption speed is slow, and asymmetric encryption is adopted. In practice, the difference between these two methods is very small, so we can choose one of them to use.
v introduction of SSH protocol
SSH is the full name of Secure SHell, which means very secure shell as the name implies. SSH protocol is a protocol formulated by the Network Working Group of IETF (Internet Engineering Task Force). The main purpose of SSH is to replace the traditional tools of telnet and R-series commands (RLOGIN, RSH, RETEC, etc.) for remote login and remote command execution, and realize the encryption of remote login and remote command execution. Prevent password leakage due to network monitoring and pose a threat to the system.
currently, ssh protocols include SSH1 and SSH2, and SSH2 is compatible with SSH1. At present, the main software to realize SSH1 and SSH2 protocols are OpenSSH and SSH Communications software of SSH Communications Security Corporation. The former is a free SSH software developed by OpenBSD, and the latter is a commercial software. Therefore, OpenSSH is used as the implementation software of SSH protocol in linux, FreeBSD, OpenBSD, NetBSD and other free UNIX-like systems. Therefore, this article focuses on the use of OpenSSH. It should be noted that the login public key/private key formats of OpenSSH and SSH Communications are different. If you want to use the private key/public key pair generated by SSH Communications to log in to the linux system using OpenSSH, you need to convert the public key/private key format.
after logging in for the first time, ssh will store the logged-in ssh fingerprint in the know_hosts file in the. ssh directory of the user's home directory. If the remote reinstall the system has passed through the system and the ssh fingerprint has changed, you need to delete the corresponding fingerprint in the know_hosts directory in the. ssh directory before logging in. Please note that the. ssh directory is a hidden directory that starts with ".",and you need the ls–a parameter to see it. Moreover, the permission of this directory must be 7, and the user's home directory cannot write permission to other users, otherwise the ssh server will refuse to log in. If you can't log in, please check the log file /var/log/secure on the server. You can usually find out the reason why you can't log in quickly.
VI Notes on the configuration of ssh_config and sshd_config files
/etc/ssh _ config:
Host *
The option "host" is only valid for computers that can match the following strings. "*" means all computers.
forward agentNo
The "forward agent" sets whether the connection is forwarded to the remote computer through the authentication agent (if it exists).
forward X11 no
"forward X11" sets whether the X11 connection is automatically redirected to a secure channel and DISPLAY set.
rhostsauthentication no
whether the "rhostsauthentication" setting uses rhosts-based security authentication.
rhostsrsaauthentication no
"rhostsrsaauthentication" sets whether to use rhosts-based security authentication using RSA algorithm.
rsaauthentication yes
whether RSA algorithm is used for security verification is set.
passwordauthentication yes
whether the passwordauthentication setting uses password authentication.
fallbacktorsh no
"fallbacktorsh" sets whether to use rsh automatically if there is an error in connecting with ssh.
usersh no
"usersh" sets whether to use "rlogin/rsh" on this computer.
batch mode no
if "batch mode" is set to "yes", the prompt of passphrase/password will be prohibited. This option is useful for script files and batch tasks when passwords cannot be entered interactively.
Personality signature conveys different emotions and is the epitome of life state. Generally, I will contact and write my own