In ssh, it is possible to set up passwordless logins to a remote user, using only public key authentication. Out of curiosity, what is actually going on code-wise, when passwordless login has been set up?
Is the ssh-server daemon storing user passwords, and then applying them automatically, when they have authenticated a public key, or can the ssh-server, using some system-call magic, circumvent the password authentication procedure of a user account entirely?
The ssh server daemon is typically running as root
(or another privileged user), and can thus simply spawn a login session running as whichever user is required. No password involved.
Other things that work in a similar manner are the -u
flag for sudo
, and the su
command when already running as root.
sshd
(SSH守护程序)进程在您的服务器(例如root)上运行特权,因此在成功完成身份验证后,它会在用户登录时生成登录shell。
You are starting from the point of assuming a password is a requirement for authentication. But it is really only one way there. On modern Linux the PAM subsystem controls authentication and authorization. You could make a PAM module that allowed you to login if you answered three questions correctly. Or know the right number. Or to be even more outlandish your "password" could be a music sequence entered over a MIDI device :-)
Something needs to tie your entered name with a Unix UID and then match that to an authentication mechanism. SSH is doing this by:
As you can see this process is not going around password authentication. Password authentication is simply one of the ways in the door. We are accustomed to this method via 'login' or ssh exposing a password prompt. But there are many ways. The core requirement is the program performing the authentication has root privileges.
Everyone already mentioned that sshd
runs as a privileged daemon.
So how does passwordless public key authentication works?
When a user connects to sshd
, by default unless configured otherwise, sshd
will require the remote connection to present a key. In the absence of the key, sshd
will attempt to ask for other methods of proof of identity of the remote user, one of which is interactive password.
Before one can start using passwordless public key authentication, one must register his public key. This usually involves copying public key to user's .ssh/authorized_keys
file. There is a cli ssh-copy-id
that can do exactly this.
How does private/public key authentication works then? When a user connects to ssh daemon
, the ssh
client will read the user's private key, usually stored in .ssh
under different filenames such as id_rsa
or identity
or id_dsa
. The ssh
client will generate the public key from the private key and present the public key to sshd
. The sshd
daemon will compare the received public key against the user's authorized_keys
. If a match is found, the connection is allowed. Then sshd
will spawn a process and a shell and will drop the provileges to the user's privilege.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.