一直以为在 session key 生成后,客户机用 session key 加密传给服务机的是客户机公钥,然后服务机 session key 解密后得到公钥,比对服务机里的~/.ssh/authorized_keys 里的公钥,找到就用它加密随机数给客户机,客户机再用自身私钥解密得到随机数,最后用 session key 加密传回服务机,完成比对即可密钥登录。
基于上面的理解,一直用 secureCRT 登录的时候用的 identity.pub (指定文件)。但今天突然发现,指定文件填 identity(私钥,不带.pub)就可以登录, identity.pub 删掉也没事。
所以 session key 生成后,客户机传给服务机的是什么?
google 了一下: https://www.digitalocean.com/community/tutorials/understanding-the-ssh-encryption-and-connection-process 这篇文章有描述这个过程。
里面的部分描述:在 session key (会话密钥)生成后
1.The client begins by sending an ID for the key pair it would like to authenticate with to the server.
2.The server check's the authorized_keys file of the account that the client is attempting to log into for the key ID.
3.If a public key with matching ID is found in the file, the server generates a random number and uses the public key to encrypt the number.
4.The server sends the client this encrypted message.
5.If the client actually has the associated private key, it will be able to decrypt the message using that key, revealing the original number.
6.The client combines the decrypted number with the shared session key that is being used to encrypt the communication, and calculates the MD5 hash of this value.
7.The client then sends this MD5 hash back to the server as an answer to the encrypted number message.
8.The server uses the same shared session key and the original number that it sent to the client to calculate the MD5 value on its own. It compares its own calculation to the one that the client sent back. If these two values match, it proves that the client was in possession of the private key and the client is authenticated.
步骤 1 的 sending an ID for the key pair.这个 ID 指的啥?欲登录的用户名?如果是欲登录用户名,那 authorized_keys 文件里存在多个这个用户名的情况呢?
所以服务端到底是怎么判断客户端是 authorized_keys 文件里的哪一个公钥的?
这是一个专为移动设备优化的页面(即为了让你能够在 Google 搜索结果里秒开这个页面),如果你希望参与 V2EX 社区的讨论,你可以继续到 V2EX 上打开本讨论主题的完整版本。
V2EX 是创意工作者们的社区,是一个分享自己正在做的有趣事物、交流想法,可以遇见新朋友甚至新机会的地方。
V2EX is a community of developers, designers and creative people.