Function of authorized_keys, ID_rsa, id_rsa.pub, known_hosts under SSH

known_hosts

SSH keeps a ~/. SSH /known_hosts file for every public key you access on your computer. The next time you access the same computer, OpenSSH checks the public key. If the public key is different, OpenSSH will warn you against attacks like DNS Hijack. The case I’ve listed above, that’s the case.

why

If multiple Linux systems on a host use the same IP address, SSH information is recorded in the ~/. SSH /known_hosts file on the host after a login. A conflict warning is displayed when you use SSH to access the host after switching the Linux system. You need to manually delete and modify the known_hosts file.

There are two solutions:
  1. Manually delete and modify the contents of “known_hosts”.
  2. Add these two lines to the ~/. SSH /config configuration file and restart the server.
StrictHostKeyChecking no
UserKnownHostsFile /dev/null
Copy the code

The advantages and disadvantages

  1. You need to manually delete the file content every time, some automatic scripts can not run (SSH login failed), but the security is high;
  2. During SSH login, the access to known_hosts is ignored, but the security is low.

Id_rsa, id_rsa. Pub

We do symmetric or asymmetric encryption: both public and private keys are required.

  • Pub: our client public key is uploaded to the server and added to authorized_keys.
  • After adding a public key, the server will assume that you are a trusted client. You can access the server. But you have to have a private key

Get id_rsa. Pub

The principle of key-form login is to use a key generator to create a pair of keys — a public key and a private key. Add the public key to an account on the server, and then use the private key on the client to authenticate and log in. This way, without a private key, no one can use SSH to brute force your password to log in remotely. In addition, you can log in using the private key if you copy the public key to another account or even a host.

Here’s how to create a key pair on a Linux server, add a public key to an account, set up SSH, and finally log in through a client.

Making a key pair

Start by making a key pair on the server. First log in to the account you intend to log in to using the key with a password and then execute the following command:

[root@host ~]# ssh-keygen <== Generating public/private RSA key pair. Enter file in which to save the key (/root/.ssh/id_rsa): <== create directory '/root/.ssh'. Enter passphrase (empty for no passphrase): <== Enter the key lock code or press Enter to leave Enter same passphrase again: <== Enter the key lock code again Your identification has been saved in /root/.ssh/id_rsa. <== Your public key has been saved in / root /. SSH/id_rsa. Pub. < = = public key, The key fingerprint is: 0 f: d3: e7:1 a: 1 c: bd: 5 c: 03: f1:19: f1:22: df: 9 b: cc: 08 root @ hostCopy the code

The key lock code must be entered when the private key is used to protect the private key from theft. Of course, it can also be left blank to achieve password-free login.

A.ssh hidden directory containing two key files is now generated in the root user’s home directory. Id_rsa is the private key, and id_rsa.pub is the public key.

Install the public key on the server

Type the following command to install the public key on the server:

[root@host ~]# cd .ssh
[root@host .ssh]# cat id_rsa.pub >> authorized_keys
Copy the code

This completes the installation of the public key. To ensure a successful connection, ensure that the following file permissions are correct:

[root@host .ssh]# chmod 600 authorized_keys
[root@host .ssh]# chmod 700 ~/.ssh
Copy the code
  1. Configure SSH to enable the key login function

Edit and modify the /etc/ssh/sshd_config file to set the following parameters:

Sed -i 's@#Port 22@Port 22@' /etc/ssh/sshd_config # /etc/ssh/sshd_config_bk /etc/ssh/sshd_configCopy the code
RSAAuthentication yes
PubkeyAuthentication yes
Copy the code

Note whether the root user can log in using SSH:

PermitRootLogin yes
Copy the code

Disable password login after you have completed all Settings and logged in successfully with key:

PasswordAuthentication no
Copy the code

Finally, restart the SSH service:

[root@host .ssh]# service sshd restart
Copy the code

authorized_keys

The idea is that SSH between two Linux machines does not require a username and password. The digital signature RSA or DSA is used to accomplish this operation

Case analysis

  • A Server (192.168.10.11) is the client
  • B Server (192.168.20.10) is the target
Goals to be achieved:

  • You do not need to enter A password to log in to MACHINE B using SSH from machine A. Encryption can choose rsa | dsa all, default dsa

  • The operation of a one-way login (which satisfies the above purpose) :

    1. Logging in to Machine A
    2. SSH – the keygen – t/rsa | dsa, will generate the key and a private key file id_rsa, id_rsa. Pub or id_dsa id_dsa. Pub
    3. Copy the id_dsa.pub file to the. SSH directory of the user under root or home on machine B, and then Β·cat id_dsa.pub >> ~/
    4. You are done. You no longer need A password to log in to the target account of machine B from machine A. # SSH 192.168.20.60
Two-way login operation process:

  1. Ssh-keygen password authentication enables SSH to the other machine, SCP does not use the password. Specific methods are as follows:

  2. Run #ssh-keygen -t rsa on both nodes, then press Enter, using the default values.

  3. This generates a pair of keys, which are stored under ~/.ssh in the user directory.

  4. SSH /authorized_keys (run #cat id_dsa.pub >> ~/.ssh/authorized_keys).