How to Use RSA Key for SSH Authentication
2011-05-30 19:21
423 查看
If your daily activity requires loging in a lot of
Linux systems through SSH, you will be happy to know (if you don't
already) that there's a way to allow secure, authenticated remote
access, file transfer, and command execution without having to remember
passwords for each individual host you connect.
The
$HOME/.ssh/authorized_keys file contains the RSA keys allowed for RSA
authentication. Each line contains one key, which consists of the
following fields: options, bits, exponent, modulus
and comment
.
The first field is optional, bits, exponent and modulus fields give the
RSA key and the last field isn't used at all in the authentication
process, but it will be somewhat convenient to the user, for instance to
know which key is for which machine.
Before we start, make sure
your computer has a ssh client installed and the remote Linux system has
ssh installed and sshd running, with RSA authentication enabled (RSAAuthentication yes
in /etc/ssh/sshd_config).
First, you will need to generate the local RSA key:
# ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
(It's safe to press enter here, as the /root/.ssh is the default and recommended directory to hold the RSA file.)
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
(The
password you enter here will need to be entered every time you use the
RSA key but fortunately, you can set NO passphrase by pressing Enter.
However, the upside is that you only have to remember this one
passphrase for all the systems you access via RSA authentication and you
can change the passhrase later with "ssh-keygen -p".)
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
Once
the public key has been generated, it's time to upload it on any Linux
systems you usually log into. It's recommended you use scp as the file
transfer utility:
# scp .ssh/id_rsa.pub username@hostname.com:~
This
command will copy the id_rsa.pub file in the $HOME directory. For
instance, if you used root as the username, the file will be found in
the /root directory and if you used a normal user, the file will be in
the /home/that.user/ directory.
Next, connect to the remote host
through SSH, with the username you used in the step above. RSA
authentication won't be available just yet, so you'll have to use the
old method to login. Once you are connected, add the new hostkey to the
file /root/.ssh/authorized_keys or /home/user/.ssh/authorized_keys. If
the .ssh directory doesn't exist, create it.
# cd $HOME
# cat id_rsa.pub >> .ssh/authorized_keys
The two right-angles will add
the contents of id_rsa.pub file to the authorized_keys file, so in case
the file already exists, you won't have to worry about the existing
content being modified.
You are all set. To test the RSA authentication, initiate a ssh connection from your PC to one of the Linux systems:
# ssh username@remote.hostname.com
If
everything worked out well, you should be either asked for the
passpharase (if you entered one), or get directly logged in. If you are
prompted for the ssh password or get an error message, retry the above
command using -v
in order to turn verbose mode on and to be able to track down and correct the problem.
----------------------------------------------------------------------------------------------------------------------
ssh-copy-id -i ~/.ssh/id_rsa.pub jdoe@somehost.org
This takes card of copying the public key to the remote host and adding
it to the authorized_keys file and setting the appropriate permissions.
"ssh-copy-id" is simply there for laziness. Ultimately, what you have to achieve is ...
(1) Generate the key-file.
(2) Somehow get the key-file over to the right user-id on the right host.
(3) If that user doesn't already have an ".ssh" directory, create one AND set its permissions to "700." ("rwx------")
(4) If that user doesn't already have an ".ssh/authorized_keys" file,
create one AND set its permissions to "600." ("rw-------")
(5) Append ... don't overwrite(!) ... the new key to that file.
As you can see, "ssh-copy-id" sure is easier.
Linux systems through SSH, you will be happy to know (if you don't
already) that there's a way to allow secure, authenticated remote
access, file transfer, and command execution without having to remember
passwords for each individual host you connect.
The
$HOME/.ssh/authorized_keys file contains the RSA keys allowed for RSA
authentication. Each line contains one key, which consists of the
following fields: options, bits, exponent, modulus
and comment
.
The first field is optional, bits, exponent and modulus fields give the
RSA key and the last field isn't used at all in the authentication
process, but it will be somewhat convenient to the user, for instance to
know which key is for which machine.
Before we start, make sure
your computer has a ssh client installed and the remote Linux system has
ssh installed and sshd running, with RSA authentication enabled (RSAAuthentication yes
in /etc/ssh/sshd_config).
First, you will need to generate the local RSA key:
# ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
(It's safe to press enter here, as the /root/.ssh is the default and recommended directory to hold the RSA file.)
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
(The
password you enter here will need to be entered every time you use the
RSA key but fortunately, you can set NO passphrase by pressing Enter.
However, the upside is that you only have to remember this one
passphrase for all the systems you access via RSA authentication and you
can change the passhrase later with "ssh-keygen -p".)
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
Once
the public key has been generated, it's time to upload it on any Linux
systems you usually log into. It's recommended you use scp as the file
transfer utility:
# scp .ssh/id_rsa.pub username@hostname.com:~
This
command will copy the id_rsa.pub file in the $HOME directory. For
instance, if you used root as the username, the file will be found in
the /root directory and if you used a normal user, the file will be in
the /home/that.user/ directory.
Next, connect to the remote host
through SSH, with the username you used in the step above. RSA
authentication won't be available just yet, so you'll have to use the
old method to login. Once you are connected, add the new hostkey to the
file /root/.ssh/authorized_keys or /home/user/.ssh/authorized_keys. If
the .ssh directory doesn't exist, create it.
# cd $HOME
# cat id_rsa.pub >> .ssh/authorized_keys
The two right-angles will add
the contents of id_rsa.pub file to the authorized_keys file, so in case
the file already exists, you won't have to worry about the existing
content being modified.
You are all set. To test the RSA authentication, initiate a ssh connection from your PC to one of the Linux systems:
# ssh username@remote.hostname.com
If
everything worked out well, you should be either asked for the
passpharase (if you entered one), or get directly logged in. If you are
prompted for the ssh password or get an error message, retry the above
command using -v
in order to turn verbose mode on and to be able to track down and correct the problem.
----------------------------------------------------------------------------------------------------------------------
ssh-copy-id -i ~/.ssh/id_rsa.pub jdoe@somehost.org
This takes card of copying the public key to the remote host and adding
it to the authorized_keys file and setting the appropriate permissions.
"ssh-copy-id" is simply there for laziness. Ultimately, what you have to achieve is ...
(1) Generate the key-file.
(2) Somehow get the key-file over to the right user-id on the right host.
(3) If that user doesn't already have an ".ssh" directory, create one AND set its permissions to "700." ("rwx------")
(4) If that user doesn't already have an ".ssh/authorized_keys" file,
create one AND set its permissions to "600." ("rw-------")
(5) Append ... don't overwrite(!) ... the new key to that file.
As you can see, "ssh-copy-id" sure is easier.
内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 
相关文章推荐
- How to use WinSCP with public key authentication
- Setup the SSH server to use keys for authentication
- How to generate ssh key only for github and not conflict with original key
- How to use Asp.Net Mvc ActionFilterAttribute for form authentication
- How To Use Putty with an SSH Private Key Generated by OpenSSH
- How to create custom methods for use in spring security expression language annotations
- [Backup] How to build and use Pansenti / meta-pansenti for Gumstix Overo Ironstorm
- How to use udev for Oracle ASM in Oracle Linux 6 怎样使用udev在linux 6系统上使用asm
- How to use data analysis for machine learning (example, part 1)
- How to sort an array of hashes into hashes with multiple values for a key?
- How to Use Densities for Controls
- How to find public key token for a .NET DLL or assembly
- How to Build and Use libnetfilter_queue for Android
- How to Use HTML Codes for Special Characters-转载
- How to use "for/" batch command in Dos extention
- How to define a bash function for use in any script?
- Github遇到Permanently added the RSA host key for IP address '192.30.252.128' to the list of known host
- How to deploy a .Net assmebly for COM use through CAB on Web Page (转)
- How to Setup OpenStack to use Local Disks for Instances