Centos7SSH key login and password key dual verification

Source: Internet
Author: User
1. first, log on to centos, switch the user, switch to the user you want to log on to without a password, and enter the home directory. the following uses root as an example: surootcd ~ 2. create a key and run the command: ssh-keygen-trsa. all the way to Y ~ /. In the ssh Directory (the. ssh directory under the user's home directory), the id_rsa and id_rsa.pub files are displayed.

1. first, log on to centos, switch the user, switch to the user you want to log on to without a password, and go to the home directory. the following command uses root as an example:
Su root
Cd ~

 

2. create a key and run the command: ssh-keygen-t rsa. all the way to Y.

 

3. after the process is completed ~ /. The id_rsa and id_rsa.pub files are displayed in the. ssh Directory (the. ssh directory in the user's home directory). The first is the private key, and the second is the public key.


4. modify the SSH configuration file. Command: vim/etc/ssh/sshd_config

# Disable root account logon. enable this function if you use root user logon.
PermitRootLogin yes

# Whether to allow sshd to check the permission data of the user's home directory or related files,
# This is to worry about setting the permissions of some important files incorrectly, which may cause some problems.
# For example, the user's ~. When the ssh/permission is set incorrectly, users are not allowed to log on in some special circumstances.
StrictModes no

# Whether to allow users to log on to the pair key system on their own, only for version 2.
# The self-made public key data is stored in. ssh/authorized_keys in the user's home directory.
RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile. ssh/authorized_keys

# If you have logged on with a certificate, disable password logon. security is critical.
PasswordAuthentication no

 

5. because the location of the AuthorizedKeysFile is specified as. ssh/authorized_keys in step 4, you also need to append the public key data id_rsa.pub to the file authorized_keys. command:
Cd ~ /. Ssh
Cat id_ras.pub> authorized_keys

Restart the SSH service. Command: systemctl restart sshd. service


6. download the private key. here I use the rz/sz tool (you can also use other methods). The system is not installed by default. first install it. Command: yum-y install lrzsz
SecureCRT configuration: Options → session Options → X/Y/Zmodem. modify the upload and download directories.
Download Now. command:
Cd ~ /. Ssh
Sz id_ras
Then go to the downloaded directory you configured and import the private key to SecurtCRT. the method is as follows:
Option → session option → SSH2, click the public key in the authorization bar (note that because the password logon has been disabled before, we have to remove the check box in the password column, otherwise, you will not be able to log on.) click Properties and click set with the session public key. in the identity or certificate file below, select the private key file you just downloaded and click OK.

 

7. all the above configurations have been completed. after reading other online tutorials, I also said that I should pay attention to the permissions of various files. I did not encounter the experiment process, or I may be using root users, if you have permission errors during the process, we recommend that you set the permission:
~ /. Ssh/700
. Ssh/authorized_keys 644
. Ssh/id_rsa 600 and belongs to the user you want to add

 

8. to make the server more secure, enable password and certificate dual authentication, first modify the SSH configuration file:
Vim/etc/ssh/sshd_config

Change PasswordAuthentication to yes

Then add one more: uthenticationMethods publickey, password
Restart the SSH service: systemctl restart sshd. service
SecureCRT configuration: because the password has been removed in step 6, you have to check it again. Options → session Options → SSH2, and check the password column.

Personal experience: Do not close the connection window of the current SecurtCRT after the configuration is complete. you can use the new connection to try login to avoid configuration errors and server login failure.

 

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.