Asymmetric Encryption and SSH Passwordless Login
1. Asymmetric Encryption
In the digital age, asymmetric encryption technology forms the foundational pillar of our network security. This sophisticated cryptographic system uses a pair of mathematically related keys—public key and private key—to achieve a revolutionary breakthrough in secure communication.
Core Features:
- • Unidirectionality: Content encrypted with the public key can only be decrypted with the corresponding private key.
- • Verifiability: Information signed with the private key can be verified for authenticity using the public key.
Its security is based on computational complexity theory,making it computationally infeasible to derive the private key from the public key. This characteristic perfectly resolves the key distribution dilemma of symmetric encryption, laying a solid foundation for digital signatures and secure key exchanges.
2. RSA Algorithm
RSA, as the most widely used asymmetric encryption algorithm, relies on the extreme difficulty of factoring large integers.
Key Generation Essentials:
- 1. Select two large prime numbers p and q.
- 2. Calculate the modulus n = p × q (the length of n determines the key strength).
- 3. Calculate Euler’s totient function φ(n) = (p-1)(q-1).
- 4. Choose a public exponent e (usually 65537) that is coprime to φ(n).
- 5. Calculate the private exponent d such that (d × e) mod φ(n) = 1.
Encryption and Decryption Process:
- • Encryption: C = Mᵉ mod n
- • Decryption: M = Cᵈ mod n
Even if an attacker obtains the public key (e, n) and the ciphertext C, they remain helpless without the ability to factor n.
3. SSH Passwordless Login
SSH passwordless login transforms the theory of asymmetric encryption into an elegant authentication practice, completely eliminating the need for password input through a challenge-response protocol.
Three-Stage Authentication Process:
Stage One: Key Preparation1. The client (your computer) generates a pair of asymmetric encryption keys: a private key (kept secret, never disclosed) and a public key (which can be shared).2. Copy the public key content into a specific file on the server (usually ~/.ssh/authorized_keys).
Stage Three: Response VerificationThe server checks if this public key is in authorized_keys. If the public key is allowed, the server sends a session identifier.The client uses the private key to sign (session identifier + request content).The server verifies the signature using the public key.
4. Practical Guide: Windows Configuration Process
Step 1: Generate Key Pair
ssh-keygen -t rsa -b 4096
# -t rsa: specifies the use of the RSA algorithm.
# -b 4096: specifies the key length of 4096 bits
· Default path C:\Users[username].ssh\id_rsa· The system will prompt “Enter passphrase (empty for no passphrase):”.· For pure passwordless login: press Enter twice without setting a password.· For higher security: enter a strong password and confirm. This will require re-verification when using the private key.· Upon successful generation, you will see a random art pattern of the key.· Two files will be generated in the C:\Users[username].ssh\ directory:id_rsa: your private key (must be kept strictly confidential).id_rsa.pub: your public key (needs to be uploaded to the server).
Step 2: Upload Public Key to Linux ServerIf there is no .ssh directory, you can create it and write the public key using the following script:Note: Regenerating keys may overwrite existing keys, damaging previous login configurations.
#!/bin/bash
# save as setup_ssh.sh
mkdir -p ~/.ssh
chmod 700 ~/.ssh
touch ~/.ssh/authorized_keys
chmod 600 ~/.ssh/authorized_keys
# Replace the content below with your public key
echo "ssh-rsa YOUR_PUBLIC_KEY_HERE" >> ~/.ssh/authorized_keys
echo "SSH key configuration completed!"
Ensure server file permissions during configuration:~/.ssh directory permission: 700authorized_keys file permission: 600
You can also directly generate the Linux public and private keys including these directories:Just copy the public key into authorized_keys.
# This command will create the directory, generate keys, and set correct permissions
ssh-keygen -t rsa -b 4096 -f ~/.ssh/id_rsa -N "" -q
# -f ~/.ssh/id_rsa - specifies the key file path
# -N "" - empty password (passwordless)
# -q - quiet mode
Core Files and Their Meanings
<span>.ssh</span> Directory Core File Explanation
| File/Directory Name | System | Description | Security Level | Key Points |
<span>id_rsa</span>, <span>id_ed25519</span> |
Windows / Linux | Private Key File. Your digital identity credential, used to prove you are the holder of the public key. | 🔒 Top Secret | Must never be disclosed. This is fundamental for authentication. |
<span>id_rsa.pub</span>, <span>id_ed25519.pub</span> |
Windows / Linux | Public Key File. Corresponds to the private key and can be publicly distributed. Used for encryption or signature verification. | 🔑 Public | Content can be freely copied and distributed for passwordless login configuration. |
<span>authorized_keys</span> |
Linux (Server) | Trusted Public Key Repository. Stores all client public keys allowed to log in to this user account via key. | 🔑 Core Configuration | Core of passwordless login on the server side. File permission must be <span>600</span>. |
<span>authorized_keys</span> |
Windows (as server) | Same as above. When Windows enables the OpenSSH server feature, it stores the public keys allowed to connect to this Windows user. | 🔑 Core Configuration | Not commonly seen in pure client scenarios. |
<span>known_hosts</span> |
Windows / Linux | Known Hosts Database. Records the public key fingerprints of all SSH servers you have connected to, used to verify server identity and prevent man-in-the-middle attacks. | 🛡️ Important | If a server’s fingerprint changes, SSH will issue a warning, indicating potential risks. |
<span>config</span> |
Windows / Linux | SSH Client Configuration File. Allows setting aliases, ports, usernames, and private keys for specific hosts or domains, greatly simplifying connection commands. | ⚙️ Practical | For example, after configuration, you only need to enter <span>ssh myserver</span> instead of a long command string. |
Host Key (e.g., <span>ssh_host_rsa_key</span>) |
Linux (Server) | Server Identity Credential. Stored in the <span>/etc/ssh/</span> directory, used to identify the server’s uniqueness to all clients. |
🖥️ Server Identity | The public key fingerprint will be recorded in the <span>known_hosts</span> file by the client. |
<span>.ssh</span> Directory Itself |
Windows / Linux | Root directory for storing SSH configurations and keys. | 📁 Basic | Permissions must be strict: – Linux: <span>700</span> (<span>drwx------</span>)– Windows: Default inheritance, but confidentiality must be ensured. |
Core Interaction Process and File Correspondence
When you SSH connect from Windows (Client) to Linux (Server), the files involved are as follows:
- 1. Connection Initiation:
<span>ssh myuser@server_ip</span> - 2. Server Authentication:
- • The Linux server presents its host private key
- • The Windows client checks the
<span>known_hosts</span>file to verify the server’s identity is trustworthy.
- • The Windows client declares its identity and provides public key information.
- • The Linux server looks for this public key in the
<span>~myuser/.ssh/authorized_keys</span>file. - • If found, the server generates a random challenge and encrypts it with that public key.
- • The Windows client uses its local private key
<span>id_rsa</span>to decrypt the challenge. - • The decrypted result is sent back to the server.
- • The server verifies the response is correct, confirming the client holds the matching private key.
- • Authentication passes, establishing a session.
