The public key is the lock, and the private key is the key. The command ssh-keygen is available on all SSH installed computers
Run the ssh-keygen command to generate a set of public and private keys and store them in the $HOEM/. SSH directory
Run the ssh-keygen command and press Enter to find id_rsa and id_rsa.pub in the $HOME/. Ssh/ directory
Generate public and private keys
$HOME/.ssh/authorized_keys; $HOME/.ssh/authorized_keys; $HOME/.ssh/authorized_keys; $HOME/.ssh/authorized_keys;
On the PC side, we can also store many keys. These keys need to be managed uniformly by a key string, which records each key and corresponding lock. This key string is $HOME/
User root # private key IdentityFile ~/.ssh/id_rsaCopy the codeWhen you log in to the server using SSH [email protected] from a PC, the SSH program automatically uses the ~/. SSH/id_RSA private key to communicate with the server for login authentication
In addition, to ensure the security of the private key and config file, set the private key and config permission to 600
chmod 600 config
chmod 600 id_rsa
Copy the codeOn the client side, if you want to move, just move the.SSH folder, you can realize all keys and configuration files move, very convenient.
By consulting the config file, we can also see how many machines we manage, including the IP, user name, and key file of each machine
On the server
sshd
We used SSH, the client program, and the server used to service SSH is SSHD, the server program
If you cannot implement automatic SSH login after configuring the public key as described above, you need to check the SSHD configuration file /etc/ssh/sshd_config. The following is the configuration of my server.
# $OpenBSD: DJM Exp $# This is the SSHD server system-wide configuration file.see # sshd_config(5) for more information. # This sshd was compiled with PATH=/usr/local/bin:/usr/bin # The strategy used for options in the default sshd_config shipped with # OpenSSH is to specify options with their default value where # possible, but leave them commented. Uncommented options override the # default value. # If you want to change the port on a SELinux system, you have to tell # SELinux about this change. # semanage port -a -t ssh_port_t -p tcp #PORTNUMBER # #Port 22 # # ListenAddress 0.0.0.0 ListenAddress: : # The default requires explicit activation of protocol 1 #Protocol 2 # HostKey for protocol version 1 #HostKey /etc/ssh/ssh_host_key # HostKeys for protocol version 2 HostKey /etc/ssh/ssh_host_rsa_key #HostKey /etc/ssh/ssh_host_dsa_key HostKey /etc/ssh/ssh_host_ecdsa_key HostKey /etc/ssh/ssh_host_ed25519_key # Lifetime and size of ephemeral version 1 server key #KeyRegenerationInterval 1h #ServerKeyBits 1024 # Ciphers and keying #RekeyLimit default none # Logging # obsoletes QuietMode and FascistLogging #LogLevel INFO # Authentication: #LoginGraceTime 2m #StrictModes yes #MaxAuthTries 6 MaxSessions 10000 #RSAAuthentication yes #PubkeyAuthentication yes # The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 # but this is overridden so installations will only check .ssh/authorized_keys AuthorizedKeysFile .ssh/authorized_keys #AuthorizedPrincipalsFile none #AuthorizedKeysCommand none #AuthorizedKeysCommandUser nobody # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts #RhostsRSAAuthentication no # similar for protocol version 2 #HostbasedAuthentication no # Change to yes if you don't trust ~/.ssh/known_hosts for # RhostsRSAAuthentication and HostbasedAuthentication #IgnoreUserKnownHosts no # Don't read the user's ~/.rhosts and ~/.shosts files #IgnoreRhosts yes # To disable tunneled clear text passwords, change to no here! #PermitEmptyPasswords no # Change to no to disable s/key passwords #ChallengeResponseAuthentication yes ChallengeResponseAuthentication no # Kerberos options #KerberosAuthentication no #KerberosOrLocalPasswd yes #KerberosTicketCleanup yes #KerberosGetAFSToken no #KerberosUseKuserok yes # GSSAPI options GSSAPIAuthentication yes GSSAPICleanupCredentials no #GSSAPIStrictAcceptorCheck yes #GSSAPIKeyExchange no #GSSAPIEnablek5users no # Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will # be allowed through the ChallengeResponseAuthentication and # PAM authentication via ChallengeResponseAuthentication may bypass # If you just want the PAM account and session checks to run without # and ChallengeResponseAuthentication to 'no'. # WARNING: 'UsePAM no' is not supported in Red Hat Enterprise Linux and may cause several # problems. UsePAM yes #AllowAgentForwarding yes #AllowTcpForwarding yes #GatewayPorts no X11Forwarding yes #X11DisplayOffset 10 #X11UseLocalhost yes #PermitTTY yes #PrintMotd yes #PrintLastLog yes #TCPKeepAlive yes #UseLogin no UsePrivilegeSeparation sandbox # Default for new installations. #PermitUserEnvironment no #Compression delayed ClientAliveInterval 60 #ClientAliveCountMax 3 #ShowPatchLevel no #PidFile /var/run/sshd.pid #MaxStartups 10:30:100 #PermitTunnel no #ChrootDirectory none #VersionAddendum none # no default banner path #Banner none # Accept locale-related environment variables AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE AcceptEnv XMODIFIERS # override default of no subsystems Subsystem sftp /usr/libexec/openssh/sftp-server # Example of overriding settings on a per-user basis #Match User anoncvs # X11Forwarding no # AllowTcpForwarding no # PermitTTY no # ForceCommand cvs server UseDNS no AddressFamily inet PermitRootLogin yes SyslogFacility AUTHPRIV PasswordAuthentication yesCopy the codeWhat are the benefits of login free?
- You don’t have to remember the password
- You can happily back up the file clips on your server to your local hard drive using the SCP command
The backup
- Not only SCP, but also more advanced async commands that support incremental synchronization, breakpoint continuation
rsync -azvvv –bwlimit=100 –append-verify [email protected]:/opt/ ./opt/
-v Displays transmission details (-VVV displays more details) -- bwLimit Limits the transmission bandwidth in KB. -- Append -verify Supports resumable transmission and verifies the transmitted filesCopy the code
rsync
Async program and private key authentication are used to implement low-cost DISASTER recovery for personal servers
Write a simple timing small program and deploy it to raspberry PI with a big external mechanical hard disk. The program runs regularly every morning, backs up server resources through Rsync, creates folders according to the date, and keeps records of the server for 30 days. Even if the server loses data, it can quickly roll back data and reduce losses.
Personal webmaster, and do not have a lot of money to buy a large number of server space and enterprise security services, data disaster recovery, anti-hacker attack;
If a personal server is breached by a hacker and the server is wiped clean, it will be very tragic.
And the server stores only the private key, hackers can even break into the server, but also unable to locate the raspberry Pie holding the private key. In the most extreme case, unplug the hard drive from the Raspberry PI, and even if a hacker were to socially engineer your raspberry PI and follow the network cable to it, they wouldn’t be able to erase the data on the hard drive separated from the Raspberry PI.
In 2021, downloading server data through private key authentication, saving it locally to a mechanical hard drive remains the most economical and stable way to back up data.
Raspberry PI with a 1TB mechanical hard disk and private key async for incremental synchronization, enough to hold the latest month of data on a personal server
Raspberry PI plus 1TB mechanical hard disk with private key async for incremental synchronization, enough to hold the latest month’s data of personal server, 5W raspberry PI, the extra cost of a month’s backup is only a few KWH ~
This post is permanently updated (feel free to read and write comments):
www.v2fy.com/p/2021-06-2…