refernence:SSH
Introduction
There are a couple of ways that you can access a shell (command line) remotely on most Linux/Unix systems. One of the older ways is to use the telnet program, which is available on most network capable operating systems. Accessing a shell account through the telnet method though poses a danger in that everything that you send or receive over that telnet session is visible in plain text on your local network, and the local network of the machine you are connecting to. So anyone who can “sniff” the connection in-between can see your username, password, email that you read, and commands that you run. For these reasons you need a more sophisticated program than telnet to connect to a remote host.
SSH, which is an acronym for Secure SHell, was designed and created to provide the best security when accessing another computer remotely. Not only does it encrypt the session, it also provides better authentication facilities, as well as features like secure file transfer, X session forwarding, port forwarding and more so that you can increase the security of other protocols. It can use different forms of encryption ranging anywhere from 512 bit on up to as high as 32768 bits and includes ciphers like AES (Advanced Encryption Scheme), Triple DES, Blowfish, CAST128 or Arcfour. Of course, the higher the bits, the longer it will take to generate and use keys as well as the longer it will take to pass data over the connection.
Step
1. Generating a key
1
| local: ssh-keygen -t dsa
|
- location(default)
- passphrase(用于验证密钥,不同于登录密码):The reason why you would generate a keyfile is so that you can increase the security of your SSH session by not using your system password.
When you generate a key, you are actually generating two key files. One private key and one public key, which is different from the private key. The private key should always stay on your local computer and you should take care not to lose it or let it fall into the wrong hands. Your public key can be put on the machines you want to connect to in a file called .ssh/authorized_keys. The public key is safe to be viewed by anybody and mathematically cannot be used to derive the private key. Its just like if I gave you a number 38,147,918,357 and asked you to find the numbers and operations I used to generate that number. There are nearly infinite possibilities.It will ask you for your key passphrase though. But this is your local ssh process that is asking for your passphrase, not the ssh server on the remote side.
2.1 Installing your public key manually
If you do not have the ssh-copy-id program available, then you must use this manual method for installing your public ssh key on the remote host.
1
| scp ~/.ssh/id_dsa.pub username@arvo.suso.org:.ssh/authorized_keys(local)
|
1
| chmod 700 ~/.ssh (remote)
|
1
| chmod 644 ~/.ssh/authorized_keys (remote)
|
2.2 Installing your public key automatically
1
| ssh-copy-id yourusername@your.website.com
|
3. Using the ssh-agent program
The true usefulness of using key based authentication comes in the use of the ssh-agent program. Usually, the ssh-agent program is a program that starts up before starting X windows and in turn starts X windows for you. What this means is that after you’ve started up X windows through ssh-agent, you can use the ssh-add program to add your passphrase one time to the agent and the agent will in turn pass this authentication information automatically every time you need to use your passphrase.(不用每次输入passphrase)
common sence
- ssh会把你每个你访问过计算机的公钥(public key)都记录在~/.ssh/known_hosts。当下次访问相同计算机时,OpenSSH会核对公钥。如果公钥不同,OpenSSH会发出警告, 避免你受到DNS Hijack之类的攻击。
- authorized_keys记录连接到此计算机的计算机的公钥及对应ip。
