The known_hosts file lets the client authenticate the server, to check that it isn't connecting to an impersonator. The authorized_keys file lets the server authenticate the user.

Server authentication

One of the first things that happens when the SSH connection is being established is that the server sends its public key to the client, and proves (thanks to public-key cryptography) to the client that it knows the associated private key. This authenticates the server: if this part of the protocol is successful, the client knows that the server is who it claims it is.

The client may check that the server is a known one, and not some rogue server trying to pass off as the right one. SSH provides only a simple mechanism to verify the server's legitimacy: it remembers servers you've already connected to, in the ~/.ssh/known_hosts file on the client machine (there's also a system-wide file /etc/ssh/known_hosts). The first time you connect to a server, you need to check by some other means that the public key presented by the server is really the public key of the server you wanted to connect to. If you have the public key of the server you're about to connect to, you can add it to ~/.ssh/known_hosts on the client manually.

By the way, known_hosts can contain any type of public key supported by the SSH implementation, not just DSA (also RSA and ECDSA).

Authenticating the server has to be done before you send any confidential data to it. In particular, if the user authentication involves a password, the password must not be sent to an unauthenticated server.

User authentication

The server only lets a remote user log in if that user can prove that they have the right to access that account. Depending on the server's configuration and the user's choice, the user may present one of several forms of credentials (the list below is not exhaustive).

  • The user may present the password for the account that he is trying to log into; the server then verifies that the password is correct.
  • The user may present a public key and prove that he possesses the private key associated with that public key. This is exactly the same method that is used to authenticate the server, but now the user is trying to prove its identity and the server is verifying it. The login attempt is accepted if the user proves that he knows the private key and the public key is in the account's authorization list (~/.ssh/authorized_keys on the server).
  • Another type of method involves delegating part of the work of authenticating the user to the client machine. This happens in controlled environments such as enterprises, when many machines share the same accounts. The server authenticates the client machine by the same mechanism that is used the other way round, then relies on the client to authenticate the user.

【转载】What is the difference between authorized_keys and known_hosts file for SSH?的更多相关文章

  1. c#中@标志的作用 C#通过序列化实现深表复制 细说并发编程-TPL 大数据量下DataTable To List效率对比 【转载】C#工具类:实现文件操作File的工具类 异步多线程 Async .net 多线程 Thread ThreadPool Task .Net 反射学习

    c#中@标志的作用   参考微软官方文档-特殊字符@,地址 https://docs.microsoft.com/zh-cn/dotnet/csharp/language-reference/toke ...

  2. 【转载】#349 - The Difference Between Virtual and Non-Virtual Methods

    In C#, virtual methods support polymorphism, by using a combination of the virtual and override keyw ...

  3. 【转载】C#工具类:实现文件操作File的工具类

    在应用程序的开发中,文件操作的使用基本上是必不可少的,FileStream类.StreamWriter类.Directory类.DirectoryInfo类等都是文件操作中时常涉及到的类,我们可以通过 ...

  4. 转载:关于思科交换机、路由器如何关闭telnet 开启ssh服务

    等保测评要求: 必须关闭telnet服务,开启ssh服务 即用ssh方式登录网络设备,而不允许用telnet. 输入密码.en 再次输入密码.sh run 这些常规动作就不再赘述. 1.关闭telne ...

  5. (转载)javascript将base64编码的图片数据转换为file并提交

    /** * @param base64Codes * 图片的base64编码 */ function sumitImageFile(base64Codes){ var form=document.fo ...

  6. hadoop 2.0 详细配置教程(转载)

    转载: http://www.cnblogs.com/scotoma/archive/2012/09/18/2689902.html 作者:杨鑫奇 PS:文章有部分参考资料来自网上,并经过实践后写出, ...

  7. Hadoop记录-hdfs转载

    Hadoop 存档 每个文件均按块存储,每个块的元数据存储在namenode的内存中,因此hadoop存储小文件会非常低效.因为大量的小文件会耗尽namenode中的大部分内存.但注意,存储小文件所需 ...

  8. 【转载】ssh-copy-id三步实现SSH无密码登录和ssh常用命令

      ssh-keygen  产生公钥与私钥对 ssh-copy-id 将本机的公钥复制到远程机器的authorized_keys文件中,ssh-copy-id也能让你有到远程机器的home, ~./s ...

  9. [转载] 构造linux 系统下免密码ssh登陆  _How to establish password-less login with SSH

    In present (post production) IT infrastructure many different workstations, servers etc. have to be ...

随机推荐

  1. XSS-笔记

     Cross Site Script  跨站脚本 是一种客户端代码的注入  而命令注入.sql注入都是客户端代码的注入.   XSS攻击行为的目标为:1.窃取目标的cookie信息 2.执行CSRF脚 ...

  2. [HAOI2018]苹果树题解

    题目链接 大意:不解释 思路: 首先方案数共有n!种,第1个点只有1种选择,第2个点2种选择,生成2个选择的同时消耗一个,第3个点则有3种选择,依次类推共有n!种方案,由于最后答案*n!,故输出的实际 ...

  3. Django 前端通过json 取出后端数据

    Django 前端通过json 取出后端数据 前端通过json 取出后端数据 步骤1:后台数据通过 JSON 序列化成字符串a 注意:1.json是1个字符串 ​ 2.通过json.dumps('xx ...

  4. [Vue] vue的一些面试题

    1.v-model 的原理 v-model 是一个语法糖,它即可以支持原生表单元素,也可以支持自定义组件.v-model 在内部为不同的输入元素使用不同的属性并抛出不同的事件. text 和 text ...

  5. webpack4.x + vue2.x 构建前端工程化(1)

    本篇文篇纯属个人笔记,实现工程化打包(用打包后的文件可以正常渲染页面),后续继续更新配置开发环境与生产环境,如果有不合理的地方还望各位指点! 不用脚手架,直接用vue和webpack搭建前端工程化项目 ...

  6. HRBUST 1849 商品中心

    vjudge 智商掉线... 可以发现一条边能贡献其他点当且仅当两点路径上这个边权值最小,所以如果按照边权从大到小加边,每加一条边就会合并两个联通块,那么一个联通块内的点到另一个联通块的点的权值就都是 ...

  7. redis 模拟redis server接收信息

    一.实现说明 客户端使用jedis正常set值到redis服务器   2. 模拟服务器接收jedis发送的信息 二.jedis客户端代码 package com.ahd.redis; import r ...

  8. DNS 缓存投毒

    原文:[DNS Cache Poisoning]( https://medium.com/iocscan/dns-cache-poisoning-bea939b5afaf) 译者:neal1991 w ...

  9. php强大的filter过滤用户输入

    <?php $filters = array //定义过滤的数组 ( "name" => array ( "filter"=>FILTER_S ...

  10. 从零开始学MySQL(二)

    鉴于上节篇幅以安装为主,因此对于调用mysql所需要使用的“命令”只是略微提及.随之而来就会带给读者诸多不解了,因为你会思考,这串长长的字符到底有什么特殊的含义呢?聪明的你可能早就抱着好奇心去“摆渡” ...