Bo2SS

Bo2SS

HomeArchives

Implementation and Essential Considerations of SSH Passwordless Login

#计算机#操作系统#Linux#海贼班54
AI Translation
This post is translated from Chinese into English through AI.View Original
AI-generated summary
This article discusses the implementation and essence of SSH passwordless login, using Ubuntu18.04 remote server and WSL 2 local machine as the experimental environment. The process involves generating a key pair, copying the public key to the remote server, and configuring permissions. The article also explains the essence of passwordless login and compares it to password login in terms of security and speed. The article provides additional information on SSH configuration and authentication, and includes references for further reading.

Experimental Environment: Ubuntu 18.04 remote server + WSL 2 local machine

Evaluation Description#

Final Result#

【Testing Locally】

  • Image

  • SSH hostname, passwordless login is now possible

  • It's green again :)

Implementation Process#

Two Steps⭐#

【Generate Key Pair👉Copy Public Key】

  • ① Generate public and private key [the one with .pub extension is the public key] on local WSL 2, using RSA encryption algorithm
ssh-keygen -t rsa
    • You can use ssh-keygen --help to view information about key types and other details
    • Passphrase is generally not required [used to encrypt the private key], unless you want to enter a password every time you login without a password
  • ② Configure the public key on the remote server with a single command
ssh-copy-id ten
    • Here, "ten" is the alias of the remote server (the username is the same as the local user by default, otherwise you can use the format "hz@ten"). For specific configuration methods, refer to 《Linux 入门及使用》笔记汇总 ——5 基本系统 —— 附加知识点: Login to Cloud Host with SSH Alias
    • Alternatively, you can use the format ssh-copy-id username@IP, where "ten" and "username@IP" are equivalent in the following text

🔚By doing this, passwordless login is achieved and you can connect to the cloud host "ten" for testing

ssh ten

Detailed Steps of ssh-copy-id#

If you want to manually achieve the same effect as ssh-copy-id, you can follow these steps:

  • Copy the local public key to the home directory of the remote server
scp ~/.ssh/id_rsa.pub ten:
  • SSH login to the home directory of the remote server and append the content of the public key to the configuration file of the key
cat id_rsa.pub >> .ssh/authorized_keys
rm id_rsa.pub  # Can be deleted
    • authorized_keys can store multiple different public keys, with each line corresponding to one key
    • If the .ssh directory and authorized_keys file do not exist, create them manually
    • The key is the "permissions" of both: the .ssh directory should only be accessible by the owner, and the authorized_keys file should only have read and write permissions for the owner. Otherwise, passwordless login will be difficult to achieve
chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys

🔚By doing this, passwordless login is also achieved

【Permission Requirements】

  • Refer to man sshd
    • Image
    • For security reasons, if the permission settings do not meet the requirements, the public key file cannot be used

Additional Notes#

  • Confirm that the "PubkeyAuthentication" in /etc/ssh/sshd_config on both the local machine and the remote server is set to "yes". After modifying it, you need to restart the sshd service: systemctl restart sshd.service
  • If you want to login without a password to a specific user on the remote server, place the public key in the corresponding location in that user's home directory

Essence of Passwordless Login#

Process⭐#

  • Local machine initiates SSH connection and sends its public key
  • Upon receiving the public key, the remote server compares it with its own public key
  • If they match, the server encrypts a "random string" with the public key and sends it back to the local machine
  • The local machine decrypts the "random string" with its private key and sends the result back to the server
  • If they match, the connection is established

❗ Refer to SSH 免密登录原理与实现—— 掘金 (in Chinese)

【This article mentions the specific processes of password login and passwordless login】

  • Password Login
    • Image
    • The password is encrypted using the remote server's public key
  • Passwordless Login
    • Image
    • The private key is not exposed during the transmission process

Password login is simpler and faster during connection compared to passwordless login.
However, passwordless login is more secure:

  • ① Passwords are easier to crack
  • ② The article mentioned that passwordless login does not have the risk of "man-in-the-middle" attacks, but I do not fully agree
    • Both rely on the .ssh/known_hosts file to identify the machine
    • Passwordless login adds an extra step of matching public keys, making it more secure
    • 【Note】This is under the assumption that the local public key has not been stolen by a man-in-the-middle

Additional Notes#

  • ssh -v ten: You can see a more detailed process
  • There is a widely circulated image on the Internet, but it contains some details that are incorrect, as follows:
    • Image
    • The request information is not the username and IP❌, but the local public key
    • The public key does not store the IP [as it would pose a risk], it stores the username and hostname of the local machine
    • You can try deleting the user information [username and hostname] from the local or remote server's public key, and you can still establish a passwordless SSH connection
    • This shows that the remote server verifies the public key string itself!

Points for Consideration#

  • What is the identity verification displayed when first logging into the cloud host?
    • Image
    • What is ECDSA key fingerprint? It is the key fingerprint from the remote server, and every machine with SSH installed has its own fingerprint
    • After entering "yes", the fingerprint information will be stored in the local .ssh/known_hosts file. If there is a spoofed machine during the next connection, it will raise an alert
    • If there is a spoofed machine [man-in-the-middle] attack during the first connection, congratulations, you have won
    • Refer to 验证远程主机 SSH 指纹—— 博客 (in Chinese)

Additional#

  • Usage of ssh-copy-id

    • Directly copies the public key of the current user on the local machine to the authorized_keys file in the .ssh directory of the remote machine's home directory
    • Image
    • More simple and direct, can specify specific public keys, specific ports, etc.

  • You can use man sshd_config to view the specific configuration instructions for sshd_config

  • ⭐ Disable password login by modifying "PasswordAuthentication" to "no" in /etc/ssh/sshd_config

    • Image
    • Restart the sshd service: systemctl restart sshd.service to make it take effect

  • The location of the public key can be set by yourself through "AuthorizedKeysFile" in /etc/ssh/sshd_config

    • Image
    • By default, the public key is searched in the corresponding location in the user's home directory

  • What is ChallengeResponseAuthentication?

    • Image

ChallengeResponseAuthentication no
# Allow any type of password authentication! Therefore, any authentication method specified in login.conf can be used!
# But currently, we prefer to use PAM modules to manage authentication, so this option can be set to no!

References#

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.