The SSH connection between computers without passwords

关于SSH服务器， 鸟哥私房菜上有一个比较详细的解释： 关于SSH服务器

Secure Shell or SSH is a network protocol that allows data to be exchanged using a secure channel between two computers. SSH uses public-key cryptography to authenticate the remote computer and allow the remote computer to authenticate the user. However, before the user is given a login prompt, a key will be generated to encrypt and decrypt all of the data that will be passed between the two computers. That is, more is happening behind the scenes.

Generally there are three ssh keypairs which are used by corresponidng SSH protocal such SSH1.0, SSH-RSA, SSH-DSA. These key pairs are located in /etc/ssh/ssh_host*. One pair key could represent the key of the Host. 这些密钥是在sshd服务器启动时自动生成的：/etc/init.d/sshd restart  

当客户端通过ssh连接服务端时，服务端的公钥将被copy到客户端的~/.ssh/knowhosts中，The key pair would be used to be copied to the known_hosts files of client.

Once user logins to a remote host using ssh command successfully, defaultly the host key of the Host would be added to the locally $HOME/.ssh/known_hosts file using the (hostname,(or)ip,key) pair. 

下面插入一些从鸟哥网站上拿来的，一些知识上的盲点。SSH服务器端和客户端通过SSH协议通信流程如下：

1. 服务器建立公钥档： 每一次启动 sshd 服务时，该服务会主动去找 /etc/ssh/ssh_host* 的档案，若系统刚刚安装完成时，由于没有这些公钥档案，因此 sshd 会主动去计算出这些需要的公钥档案，同时也会计算出服务器自己需要的私钥档；
   
   
2. 客户端主动联机要求： 若客户端想要联机到 ssh 服务器，则需要使用适当的客户端程序来联机，包括 ssh, pietty 等客户端程序；
   
   
3. 服务器传送公钥档给客户端： 接收到客户端的要求后，服务器便将第一个步骤取得的公钥档案传送给客户端使用 (此时应是明码传送，反正公钥本来就是给大家使用的！)；
   
   
4. 客户端记录/比对服务器的公钥数据及随机计算自己的公私钥： 若客户端第一次连接到此服务器，则会将服务器的公钥数据记录到客户端的用户家目录内的 ~/.ssh/known_hosts 。若是已经记录过该服务器的公钥数据，则客户端会去比对此次接收到的与之前的记录是否有差异。若接受此公钥数据， 则开始计算客户端自己的公私钥数据；
   
   
5. 回传客户端的公钥数据到服务器端： 用户将自己的公钥传送给服务器。此时服务器：『具有服务器的私钥与客户端的公钥』，而客户端则是： 『具有服务器的公钥以及客户端自己的私钥』，你会看到，在此次联机的服务器与客户端的密钥系统 (公钥+私钥) 并不一样，所以才称为非对称式密钥系统喔。
   
   
6. 开始双向加解密： (1)服务器到客户端：服务器传送数据时，拿用户的公钥加密后送出。客户端接收后，用自己的私钥解密； (2)客户端到服务器：客户端传送数据时，拿服务器的公钥加密后送出。服务器接收后，用服务器的私钥解密。

在上述的第 4 步骤中，客户端的密钥是随机运算产生于本次联机当中的，所以你这次的联机与下次的联机的密钥可能就会不一样啦！ 此外在客户端的用户家目录下的 ~/.ssh/known_hosts 会记录曾经联机过的主机的 public key ，用以确认我们是连接上正确的那部服务器。

ssh -f 参数和-o参数的妙用，简单的说就是-f可以通过将ssh在远程执行的命令进行执行而客户端不用等其返回，而-o就是默认接受将远程的公钥放到本地的known_hosts文件中，但是-o只是一个开启参数，后面还要跟StrictHostKeyChecking=no：

选项与参数：
-f ：需要配合后面的 [指令] ，不登入远程主机直接发送一个指令过去而已；
-o 参数项目：主要的参数项目有：
 ConnectTimeout=秒数 ：联机等待的秒数，减少等待的时间
 StrictHostKeyChecking=[yes|no|ask]：预设是 ask，若要让 public key
           主动加入 known_hosts ，则可以设定为 no 即可。
-p ：如果你的 sshd 服务启动在非正规的埠口 (22)，需使用此项目；
[指令] ：不登入远程主机，直接发送指令过去。但与 -f 意义不太相同。

#  登入对方主机执行过指令后立刻离开的方式：
[root@www ~]# ssh student@127.0.0.1 find / &> ~/find1.log
student@localhost's password:
# 此时你会发现怎么画面卡住了？这是因为上头的指令会造成，你已经登入远程主机，
# 但是执行的指令尚未跑完，因此你会在等待当中。那如何指定系统自己跑？
#  与上题相同，但是让对方主机自己跑该指令，你立刻回到近端主机继续工作：
[root@www ~]# ssh -f student@127.0.0.1 find / &> ~/find1.log
# 此时你会立刻注销 127.0.0.1 ，但 find 指令会自己在远程服务器跑喔！

# 删除掉 known_hosts 后，重新使用 root 联机到本机，且自动加上公钥记录
[root@www ~]# rm ~/.ssh/known_hosts
[root@www ~]# ssh -o StrictHostKeyChecking=no root@localhost
Warning: Permanently added 'localhost' (RSA) to the list of known hosts.
root@localhost's password:
# 如上所示，不会问你 yes 或 no 啦！直接会写入 ~/.ssh/known_hosts 当中！

the process:
(1) ssh abc@10.0.0.1
The authenticity of host '10.0.0.1 (10.0.0.1)' can't be established.
RSA key fingerprint is 22:69:d7:05:23:c6:db:d9:55:2a:20:a3:34:bd:f4:ef.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.0.0.1' (RSA) to the list of known hosts.
Password:
(2) then next time he could loggin to this host just input the password.

Said for an example, I have a Linux cluster (called bbom with the IP 192.168.0.100) running on 2 machines(active/standy mode), called A and B, with sperately IP 192.168.0.6 and 192.168.0.7.  These two computers could swtich over to each other once the other encounters a problem. and usually users are connect using the hostname or IP address to the cluster, when SWO happens, mostly, they would encounter a warning:
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
44:28:35:a0:79:94:d8:fd:e3:78:68:3d:ce:7a:59:5d.
Please contact your system administrator.
Add correct host key in $HOME/.ssh/known_hosts to get rid of this message.

Offending key in $HOME/.ssh/known_hosts:2 <==冒号后面接的数字就是有问题数据行号

RSA host key for host has changed and you have requested strict checking.

Host key verification failed.

Annoying right? 

You could solve this problem by removing the $HOME/.ssh/knwon_hosts file temporarily. But if you want to solve this problem from the root, there two ways:

Option 1: 
   ssh A and type yes if required
   ssh B and type yes if required
   edit $HOME/.ssh/known_hosts
   modify known_hosts and add hostname and IP address as example below:
   bbom,192.168.0.100,192.168.0.6 ssh-rsa AAAAB32Nsomething…… (Key @ A)
   bbom,192.168.0.100,192.168.0.7 ssh-rsa AAAAB32Nsomethingelse……(Key @ B)
Option 2:
   Option 2:
   SSH to A
   Copy SSH DSA and RSA key from A to B
   ssh_host_dsa_key
   ssh_host_dsa_key.pub
   ssh_host_rsa_key
   ssh_host_rsa_key.pub
   scp /etc/ssh/ssh_host_dsa_key* B:/etc/ssh/.
   scp /etc/ssh/ssh_host_rsa_key* B:/etc/ssh/.
   /etc/init.d/sshd restart for B 

 The next step, if user wants to login to the remote host without password;
 (1)command: ssh-keygen -t rsa 
        the rsa parameter means using the rsa cryptography
    and a public-private key pair would be generated at $HOME/.ssh directory
such as id_ra, and id_ra.pub
 (2)command: ssh-copy-id -i $HOME/.ssh/id_rsa.pub  abc@IP of A
        this command would copy the id_rsa.pub key to the $HOME of abc/.ssh/authorized_keys
For the cluster, user should execute this command at every computer belong to this cluster
 (3)command: ssh abc@ip of A
         users could login a without inputing password

OK, enjoy!!

SSH Manual: http://www.employees.org/~satch/ssh/faq/ssh-faq.html 

Trouble Shootings:

the Secure Log:   /var/log/secure : many logs about the authority are in this file. This File is very important, for the ssh problems, please analyse this file.

(1)  Nov 29 10:09:57 pcp318136pcs sshd[2536]: Server listening on :: port 22.

       Nov 29 10:09:57 pcp318136pcs sshd[2536]: error: Bind to port 22 on 0.0.0.0 failed: Address already in use.

 this error not affect the sshd service behaves badly, pls ignores it

(2) Nov 29 09:25:58 pcp318136pcs sshd[2174]: Authentication refused: bad ownership or modes for directory /home/feng

this problems would cause the service sshd behaves badly, should use the root account to chmod this directory and the subdirectory .ssh  be 700. 

    chmod 700 /home/feng  

    chmod 700 ~/.ssh -R

    chmod 644 ~/.ssh/* 

or when you use 'ssh users@ip' to login, the SSH would ask you passwords despite you had ssh-copy-id the pub key to this compute.

(3)Nov 29 19:43:31 pcp465599pcs sshd[3691]: pam_tally2(sshd:setcred): unknown option: reset

 this error not affect the sshd service behaves badly, pls ignores it

(4) The authenticity of host 192.168.0.xxx can't be established.  Should type yes.

For the scripts, it is a hard case,  so should use the ssh like ssh  -o StrictHostKeyChecking=no  192.168.0.xxx  Or mkdir a config file located at the $HOME.

pilotPC$ mkdir –p ~usrt/.ssh

pilotPC$ cd ~usrt/.ssh

pilotPC$ echo "StrictHostKeyChecking no" > config

pilotPC$ echo "ServerAliveInterval 300" >> config

-bash-3.2$ echo "ServerAliveCountMax 36" >> config

-bash-3.2$ chmod 600 config

(5) Permission not allowed, or when you copy-id, allays ssh said that the permission problems:

Firstly,  should add the username to the /etc/ssh/sshd_config,  

    vi /etc/ssh/sshd_config  and add the 'AllowUsers user1' to this file

Secondly, Except the usual password authorization, there is also a PAM authority, you can see the  /etc/ssh/sshd_config file, there is 

a UsePAM =yes parameter.  The problem may be this user may be locked, then the solution are as bellow:

在建立密钥系统的步骤中要记得的是：

• Client 必须制作出 Public & Private 这两把 keys，且 Private 需放到 ~/.ssh/ 内；
• Server 必须要有 Public Key ，且放置到用户家目录下的 ~/.ssh/authorized_keys，同时目录的权限 (.ssh/) 必须是 700 而档案权限则必须为 644 ，同时档案的拥有者与群组都必须与该账号吻合才行。

How do I lock out a user after a set number of login attempts?

by The editorial team

Version: Red Hat® Enterprise Linux® 3 and 4

The PAM (Pluggable Authentication Module) module pam_tally keeps track of unsuccessful login attempts then disables user accounts when a preset limit is reached. This is often referred to as account lockout.

To lock out a user after 4 attempts, two entries need to be added in the /etc/pam.d/system-auth file:

auth        required        /lib/security/$ISA/pam_tally.so onerr=fail no_magic_root
account     required        /lib/security/$ISA/pam_tally.so deny=3 no_magic_root reset

The options used above are described below:

• onerr=fail
  If something strange happens, such as unable to open the file, this determines how the module should react.
• no_magic_root
  This is used to indicate that if the module is invoked by a user with uid=0, then the counter is incremented. The sys-admin should use this for daemon-launched services, like telnet/rsh/login.
• deny=3The deny=3 option is used to deny access if tally for this user exceeds 3.
• reset
  The reset option instructs the module to reset count to 0 on successful entry.

See below for a complete example of implementing this type of policy:

auth        required      /lib/security/$ISA/pam_env.so
auth        required      /lib/security/$ISA/pam_tally.so onerr=fail no_magic_root auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok auth        required      /lib/security/$ISA/pam_deny.so  account     required      /lib/security/$ISA/pam_unix.so account     required      /lib/security/$ISA/pam_tally.so deny=5 no_magic_root reset  password    requisite     /lib/security/$ISA/$ISA/pam_cracklib.so retry=3 password    sufficient    /lib/security/$ISA/$ISA/pam_unix.so nullok use_authtok md5 shadow password    required      /lib/security/$ISA/$ISA/pam_deny.so  session     required      /lib/security/$ISA/$ISA/pam_limits.so session     required      /lib/security/$ISA/$ISA/pam_unix.so

For more detailed information on the PAM system please see the documentation contained under/usr/share/doc/pam-&lt;version&gt;

For information on how to unlock a user that has expired their deny tally see additional Knowledgebase articles regarding unlocking a user account and seeing failed logins with the faillog command.

contributed by David Robinson

Red Hat’s customer service and support teams receive technical support questions from users all over the world. Red Hat technicians add the questions and answers to Red Hat Knowledgebase on a daily basis. Access to Red Hat Knowledgebase is free. Every month, Red Hat Magazine offers a preview into the Red Hat Knowledgebase by highlighting some of the most recent entries.

This entry was posted by The editorial team on Thursday, January 25th, 2007 at 1:00 am and is filed under tips and tricks. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.

Reference: 

http://www.cyberciti.biz/tips/rhel-centos-fedora-linux-log-failed-login.html

http://magazine.redhat.com/2007/01/25/how-do-i-lock-out-a-user-after-a-set-number-of-login-attempts/