Detailed explanation of SSH password free login

For better understanding SSH Password free login principle , Let's talk about it first SSH Security verification of ,SSH It's using ” Asymmetric key system ”, That is the familiar public key and private key encryption system , Its security verification is divided into two levels .

1. Password based security verification

This way, you can log in online with your user name and password , In general, we use this method . The whole process is as follows ：

（1） Client initiates connection request .

（2） The remote host receives a login request from the user , Send your public key to the client .

（3） The client receives the public key of the remote host , Then use the public key of the remote host to encrypt the login password , Then send the encrypted login password together with your public key to the remote host .

（4） The remote host receives the public key and encrypted login password of the client , Decrypt the received login password with your own private key , If the password is correct, login is allowed , So far, both sides have each other's public key , Start two-way encryption and decryption .

PS： When there is another fake in the network The server When impersonating a remote host , The connection request of the client is The server B Intercept , The server B Send your own public key to the client , The client will encrypt the password and send it to the fake server , The fake server can get the password with its own private key , Then do whatever you want . So when you first link to a remote host , In the second step of the above steps （3） In step , Will prompt you the current remote host's ” Public key fingerprint ”, To confirm whether the remote host is a genuine remote host , If you choose to continue, you can enter your password to log in , When the remote host accepts , The public key of the server will be saved to ~/.ssh/known_hosts In file .

2. Key based security verification

In this way, you need to create a pair of keys for yourself in the current user's home directory , And put the public key on the server that needs to log in . When you want to connect to the server , The client will request the server to use the key for security authentication . After the server receives the request , You will find your public key in the home directory of the user you requested to log in to on the server , Then compare it with the public key you sent . If the two keys are the same , The server uses the public key to encrypt “ inquiry ” And send it to the client . Client received “ inquiry ” Then decrypt it with your own private key and send it to the server . Compared with the first level , The second level does not need to send passwords over the network .

PS： Simply speaking , Is to put the client's public key on the server , Then the client can log in to the server without password , So where should the client's public key be placed on the server ？ The default is under the home directory of the user you want to log in .ssh In the catalog authorized_keys In file （ namely ：~/.ssh/authorized_keys）.

3. Use scenarios

rsync Password free login during automatic backup , colony In the environment, hosts need to communicate with each other, such as ：Hadoop, At present, Xiaobian only involves these two places , There are other places to use and supplement in the future ~

3. Related configuration items

SSHD The configuration file for the service is located in /etc/ssh/sshd_config

Configuration item 1 ：PubkeyAuthentication Whether to allow login using key authentication

Configuration item II ：AuthorizedKeysFile Allow the public key of the login host to store files , The default is... In the user's home directory .ssh/authorized_keys

4. Permission problems

.ssh Folder 700 chmod 700 .ssh

authorized_keys file 644 chmod 644 .ssh/authorized_keys

5. Configuration to realize

The server ：192.168.0.10 user ：server

client ：192.168.0.11 user ：client

# Client configuration

# Use client The user logs in and enters the home directory

# cd /home/client

# Establish authentication public key and private key

# ssh-keygen -t rsa （ There will be a prompt for the password , Just go back ）

# Then it will be created in the home directory .ssh Folder , There are id_rsa（ Private key ） and id_rsa.pub（ Public key ） Two documents

# Upload the public key file to the server server Home directory

# scp ~/.ssh/id_rsa.pub [email protected]:~

# Server side configuration

# Use server The user logs in and enters the home directory

# cd /home/server

# establish .ssh Folder

# mkdir .ssh;

# Modify folder permissions

# chmod 700 .ssh

# Send the client to id_rsa.pub The contents of the file are added to authorized_keys in

# cat id_rsa.pub >> .ssh/authorized_keys

# chmod 644 .ssh/authorized_keys

Then you use... From the client client User login server server The user does not need to enter a password , But the first time you connect, you will still be prompted to check the public key fingerprint of the remote host and store it in ~/.ssh/known_hosts file .