堆栈内存溢出
  简体   繁体   English

ssh无密码登录,仅限公钥认证(窗帘后面是什么)

[英]ssh passwordless login, public key authentication only (whats going on behind the curtains)

 原文  2013-12-16 22:44:28       linux/ ssh

问题描述

In ssh, it is possible to set up passwordless logins to a remote user, using only public key authentication. 在ssh中,可以仅使用公钥认证为远程用户设置无密码登录。 Out of curiosity, what is actually going on code-wise, when passwordless login has been set up? 出于好奇,在设置无密码登录时,代码实际上是什么?

Is the ssh-server daemon storing user passwords, and then applying them automatically, when they have authenticated a public key, or can the ssh-server, using some system-call magic, circumvent the password authentication procedure of a user account entirely? ssh-server守护程序是存储用户密码,然后在他们对公钥进行身份验证时自动应用它们,还是ssh-server可以使用某种系统调用魔法完全绕过用户帐户的密码身份验证过程?

4 个解决方案

解决方案1
 5 已采纳  2013-12-16 22:49:16

The ssh server daemon is typically running as root (or another privileged user), and can thus simply spawn a login session running as whichever user is required. ssh服务器守护程序通常以root用户身份(或其他特权用户)运行,因此可以简单地生成一个运行的登录会话,以满足任何用户的需求。 No password involved. 没有密码。

Other things that work in a similar manner are the -u flag for sudo , and the su command when already running as root. 其他以类似方式工作的东西是sudo-u标志,以及已经以root身份运行的su命令。

解决方案2
 3  2013-12-16 22:48:53

sshd (SSH守护程序)进程在您的服务器(例如root)上运行特权,因此在成功完成身份验证后,它会在用户登录时生成登录shell。

解决方案3
 2  2013-12-16 23:27:09

You are starting from the point of assuming a password is a requirement for authentication. 您从假设密码是身份验证的要求开始。 But it is really only one way there. 但它实际上只有一种方式。 On modern Linux the PAM subsystem controls authentication and authorization. 在现代Linux上,PAM子系统控制身份验证和授权。 You could make a PAM module that allowed you to login if you answered three questions correctly. 如果您正确回答了三个问题,您可以创建一个允许您登录的PAM模块。 Or know the right number. 或者知道正确的号码。 Or to be even more outlandish your "password" could be a music sequence entered over a MIDI device :-) 或者更加古怪的是,您的“密码”可能是通过MIDI设备输入的音乐序列:-)

Something needs to tie your entered name with a Unix UID and then match that to an authentication mechanism. 需要将输入的名称与Unix UID绑定,然后将其与身份验证机制相匹配。 SSH is doing this by: SSH正在这样做:

  1. taking the name you provide and getting the "password entry" for it via PAM 获取您提供的名称并通过PAM获取“密码输入”
  2. using the "password entry" to locate the $HOME of the user 使用“密码输入”来定位用户的$ HOME
  3. validate the SSH key in $HOME/.ssh/authorized_keys against the key sent in the authentication 根据身份验证中发送的密钥验证$ HOME / .ssh / authorized_keys中的SSH密钥
  4. If all of the above works, start a shell as the UID of the user 如果以上所有工作,请启动shell作为用户的UID

As you can see this process is not going around password authentication. 正如您所看到的,此过程不会进行密码验证。 Password authentication is simply one of the ways in the door. 密码验证只是门的一种方式。 We are accustomed to this method via 'login' or ssh exposing a password prompt. 我们习惯于通过'login'或ssh暴露密码提示来实现此方法。 But there are many ways. 但是有很多方法。 The core requirement is the program performing the authentication has root privileges. 核心要求是执行身份验证的程序具有root权限。

解决方案4
 1  2013-12-16 23:07:12

Everyone already mentioned that sshd runs as a privileged daemon. 每个人都已经提到sshd作为特权守护进程运行。

So how does passwordless public key authentication works? 那么无密码公钥认证如何工作?

When a user connects to sshd , by default unless configured otherwise, sshd will require the remote connection to present a key. 当用户连接到sshd ,除非另有配置,否则sshd将要求远程连接呈现密钥。 In the absence of the key, sshd will attempt to ask for other methods of proof of identity of the remote user, one of which is interactive password. 在没有密钥的情况下, sshd将尝试询问远程用户的其他身份证明方法,其中一种是交互式密码。

Before one can start using passwordless public key authentication, one must register his public key. 在开始使用无密码公钥验证之前,必须注册其公钥。 This usually involves copying public key to user's .ssh/authorized_keys file. 这通常涉及将公钥复制到用户的.ssh/authorized_keys文件。 There is a cli ssh-copy-id that can do exactly this. 有一个cli ssh-copy-id可以做到这一点。

How does private/public key authentication works then? 那么私钥/公钥认证如何工作呢? When a user connects to ssh daemon , the ssh client will read the user's private key, usually stored in .ssh under different filenames such as id_rsa or identity or id_dsa . 当用户连接到ssh daemonssh客户端将读取用户的私钥,通常以不同的文件名(如id_rsaidentityid_dsa存储在.ssh The ssh client will generate the public key from the private key and present the public key to sshd . ssh客户端将从私钥生成公钥,并将公钥呈现给sshd The sshd daemon will compare the received public key against the user's authorized_keys . sshd守护程序会将收到的公钥与用户的authorized_keys If a match is found, the connection is allowed. 如果找到匹配项,则允许连接。 Then sshd will spawn a process and a shell and will drop the provileges to the user's privilege. 然后sshd将生成一个进程和一个shell,并将这些权限放到用户的权限。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 在机架空间云中使用密钥身份验证的无密码ssh失败:要求输入密码 - Passwordless ssh using key authentication in rackspace cloud fails: asks for password 没有SSH密钥握手的无密码SSH - passwordless ssh without ssh-key handshaking SSH公钥/私钥认证失败 - SSH public/private key authentication is failing 无密码SSH登录到同一Linux服务器 - passwordless ssh login to same linux server ssh 无密码登录失败,权限被拒绝(公钥) - ssh passwordless login fails with permission denied (publickey) 无密码 SSH 仅适用于调试模式 - Passwordless SSH works only in debug mode 无法通过ssh使用公钥身份验证方法进行连接 - Unable to connect via ssh with public key authentication method SSH公钥身份验证,无需更改系统文件 - Ssh public key authentication without changing system files SSH 密钥认证 - SSH key authentication Linux网络编程。 “阅读([...])”幕后会发生什么? - Linux network programming. “read([…])” whats going on behind the scenes?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM