Ssh certificate verification login, ssh certificate verification

Ssh certificate verification login, ssh certificate verification

Generally, PuTTY and other SSH clients are used to remotely manage Linux servers. However, a common Password Logon method is prone to brute force password cracking. Therefore, we usually set the SSH port to a port other than 22 by default, or disable root account logon. In fact, there is a better way to ensure security, and you can safely use the root account to log on Remotely-that is, using the key.

The principle of key-form logon is to use the key generator to create a pair of keys-one public key and one private key. Add the public key to an account on the server, and then use the private key on the client to complete authentication and log on. In this way, without a private key, no one can use SSH to brute force crack your password to remotely log on to the system. In addition, if you copy the public key to another account or even the host, you can log on with the private key.

The following describes how to create a key pair on a Linux server, add the public key to the account, set SSH, and log on through the client.

1. Create a key pair

First, create a key pair on the server. First, log on to the account you intend to use the key to log on to, and then execute the following command:

[Root @ host ~] $ Ssh-keygen<= Create a key pairGenerating public/private rsa key pair. Enter file in which to save the key (/root/. ssh/id_rsa ):<= Press EnterCreated directory '/root/. ssh'. Enter passphrase (empty for no passphrase ):<= Enter the key lock code or press Enter to leave it blank.Enter same passphrase again:<= Enter the key lock code again.Your identification has been saved in/root/. ssh/id_rsa.<= Private KeyYour public key has been saved in/root/. ssh/id_rsa.pub.<= Public KeyThe key fingerprint is: 0f: d3: e7: 1a: 1c: bd: 5c: 03: f1: 19: f1: 22: df: 9b: cc: 08 root @ host

The key lock code must be entered when the private key is used to protect the private key from being stolen. Of course, you can leave it blank to enable password-less logon.

Now, a hidden. ssh directory is generated in the root user's home directory, which contains two key files. Id_rsa is the private key and id_rsa.pub is the public key.

2. Install the public key on the server

Run the following command to install the public key on the server:

[root@host ~]$ cd .ssh[root@host .ssh]$ cat id_rsa.pub >> authorized_keys

The installation of the public key is completed. To ensure the connection is successful, ensure that the following files have the correct permissions:

[root@host .ssh]$ chmod 600 authorized_keys[root@host .ssh]$ chmod 700 ~/.ssh

3. Set SSH to enable the key logon Function

Edit the/etc/ssh/sshd_config file and perform the following settings:

RSAAuthentication yesPubkeyAuthentication yes

In addition, check whether the root user can log on via SSH:

PermitRootLogin yes

After you complete all settings and successfully log on as a key, disable Password Logon:

PasswordAuthentication no

Finally, restart the SSH service:

[root@host .ssh]$ service sshd restart

4. Download the Private Key to the client and convert it to a format that can be used by PuTTY.

Use tools such as WinSCP and SFTP to download the id_rsa private key file to the client machine. Open PuTTYGen and click the Load button in Actions to Load the private key file you just downloaded. If you have just set a key lock code, you need to enter it.

After successful loading, PuTTYGen displays key-related information. In the Key comment, type the description of the key and click Save private Key to Save the private key file in the format that can be used by PuTTY.

In the future, when you use PuTTY to log on, you can select your Private key file for authentication in Connection> SSH> Auth on the left, and then you can log on, in the process, you only need to enter the key lock code.

5. If you do not need to log on with certificate verification, directly Delete ~ /. Create related files under ssh.

Tip: Certificate verification logon provides good security for server user authorization. We hope you can use more ssh certificates.