Experimental Environment: Ubuntu 18.04 remote server + WSL 2 local machine
Evaluation Description#
-
-
During the evaluation process, you will need the data here: Public Key of the Evaluation Service
-
Additional: What is the essence of passwordless login?
Final Result#
【Testing Locally】
-
-
SSH hostname, passwordless login is now possible
-
It's green again :)
Implementation Process#
Two Steps⭐#
【Generate Key Pair👉Copy Public Key】
- ① Generate public and private key [the one with .pub extension is the public key] on local WSL 2, using RSA encryption algorithm
ssh-keygen -t rsa
-
- You can use
ssh-keygen --help
to view information about key types and other details - Passphrase is generally not required [used to encrypt the private key], unless you want to enter a password every time you login without a password
- You can use
- ② Configure the public key on the remote server with a single command
ssh-copy-id ten
-
- Here, "ten" is the alias of the remote server (the username is the same as the local user by default, otherwise you can use the format "hz@ten"). For specific configuration methods, refer to 《Linux 入门及使用》笔记汇总 ——5 基本系统 —— 附加知识点: Login to Cloud Host with SSH Alias
- Alternatively, you can use the format
ssh-copy-id username@IP
, where "ten" and "username@IP" are equivalent in the following text
🔚By doing this, passwordless login is achieved and you can connect to the cloud host "ten" for testing
ssh ten
Detailed Steps of ssh-copy-id#
If you want to manually achieve the same effect as ssh-copy-id, you can follow these steps:
- Copy the local public key to the home directory of the remote server
scp ~/.ssh/id_rsa.pub ten:
- SSH login to the home directory of the remote server and append the content of the public key to the configuration file of the key
cat id_rsa.pub >> .ssh/authorized_keys
rm id_rsa.pub # Can be deleted
-
- authorized_keys can store multiple different public keys, with each line corresponding to one key
- If the .ssh directory and authorized_keys file do not exist, create them manually
- The key is the "permissions" of both: the .ssh directory should only be accessible by the owner, and the authorized_keys file should only have read and write permissions for the owner. Otherwise, passwordless login will be difficult to achieve
chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys
🔚By doing this, passwordless login is also achieved
【Permission Requirements】
- Refer to
man sshd
-
- For security reasons, if the permission settings do not meet the requirements, the public key file cannot be used
-
Additional Notes#
- Confirm that the "PubkeyAuthentication" in /etc/ssh/sshd_config on both the local machine and the remote server is set to "yes". After modifying it, you need to restart the sshd service:
systemctl restart sshd.service
- If you want to login without a password to a specific user on the remote server, place the public key in the corresponding location in that user's home directory
Essence of Passwordless Login#
Process⭐#
- Local machine initiates SSH connection and sends its public key
- Upon receiving the public key, the remote server compares it with its own public key
- If they match, the server encrypts a "random string" with the public key and sends it back to the local machine
- The local machine decrypts the "random string" with its private key and sends the result back to the server
- If they match, the connection is established
❗ Refer to SSH 免密登录原理与实现—— 掘金 (in Chinese)
【This article mentions the specific processes of password login and passwordless login】
- Password Login
-
- The password is encrypted using the remote server's public key
-
- Passwordless Login
-
- The private key is not exposed during the transmission process
-
Password login is simpler and faster during connection compared to passwordless login.
However, passwordless login is more secure:
- ① Passwords are easier to crack
- ② The article mentioned that passwordless login does not have the risk of "man-in-the-middle" attacks, but I do not fully agree
- Both rely on the .ssh/known_hosts file to identify the machine
- Passwordless login adds an extra step of matching public keys, making it more secure
- 【Note】This is under the assumption that the local public key has not been stolen by a man-in-the-middle
Additional Notes#
- ssh -v ten: You can see a more detailed process
- There is a widely circulated image on the Internet, but it contains some details that are incorrect, as follows:
-
- The request information is not the username and IP❌, but the local public key
- The public key does not store the IP [as it would pose a risk], it stores the username and hostname of the local machine
- You can try deleting the user information [username and hostname] from the local or remote server's public key, and you can still establish a passwordless SSH connection
- This shows that the remote server verifies the public key string itself!
-
Points for Consideration#
- What is the identity verification displayed when first logging into the cloud host?
-
- What is ECDSA key fingerprint? It is the key fingerprint from the remote server, and every machine with SSH installed has its own fingerprint
- After entering "yes", the fingerprint information will be stored in the local .ssh/known_hosts file. If there is a spoofed machine during the next connection, it will raise an alert
- If there is a spoofed machine [man-in-the-middle] attack during the first connection, congratulations, you have won
- Refer to 验证远程主机 SSH 指纹—— 博客 (in Chinese)
-
Additional#
-
Usage of ssh-copy-id
- Directly copies the public key of the current user on the local machine to the authorized_keys file in the .ssh directory of the remote machine's home directory
-
- More simple and direct, can specify specific public keys, specific ports, etc.
-
You can use
man sshd_config
to view the specific configuration instructions for sshd_config -
⭐ Disable password login by modifying "PasswordAuthentication" to "no" in /etc/ssh/sshd_config
-
- Restart the sshd service:
systemctl restart sshd.service
to make it take effect
-
-
The location of the public key can be set by yourself through "AuthorizedKeysFile" in /etc/ssh/sshd_config
-
- By default, the public key is searched in the corresponding location in the user's home directory
-
-
What is ChallengeResponseAuthentication?
-
ChallengeResponseAuthentication no
# Allow any type of password authentication! Therefore, any authentication method specified in login.conf can be used!
# But currently, we prefer to use PAM modules to manage authentication, so this option can be set to no!
References#
- SSH Login Without a Password——howchoo
- ssh 免密登录踩坑及解决—— 码农家园
- It mentions that the permission of authorized_keys should be set to 644 because the file is owned by root; you can also change the owner of the file [personally, I think the latter is more secure]
- 文字接口联机服务器:SSH 服务器—— 鸟哥的 Linux 私房菜 (in Chinese)
- ssh 修改登录端口禁止密码登录并免密登录—— 简书 (in Chinese)
- SSH 用公钥验证可以阻止中间人攻击么?—— 知乎 (in Chinese)
-
No, it is avoided through the verification of known_hosts during the first connection
-