recently viewed Linux system logs: /var/log/secure, found that the server has a large number of violent crack login record, and is different IP account in the attempt to crack, so it is not good to write iptables to prohibit IP login (too much), and because of the company budget, there is no fixed network IP login server, So bad write Iptabls only allow certain IP access. Therefore, it is necessary to use the key authentication method to log on to the server and avoid unnecessary troublesome operation.
650) this.width=650; "Src=" Http://s3.51cto.com/wyfs02/M01/88/9D/wKioL1f9rjHzH72-AAApOdGK8P0071.png-wh_500x0-wm_3 -wmp_4-s_3000200445.png "title=" image 9.png "alt=" Wkiol1f9rjhzh72-aaapodgk8p0071.png-wh_50 "/>
1. Configure sshd to only allow login with public_key
cd/etc/ssh/
① backup first and create a normal user
CP sshd_conf Sshd.conf.bak
Useradd Chengzhi
②sshd_conf Configuration
There are several main changes:
Permitrootlogin No # default is a comment, first configured to prohibit the root user login, allowing root login is too dangerous.
# #RSAAuthentication Yes #启用 RSA authentication (I created a DSA, so this option is not turned on)
Authorizedkeysfile. Ssh/authorized_keys # Verifying the storage path of the public key
Pubkeyauthentication Yes # default is comment, enable public key authentication
Passwordauthentication No # Disables password authentication, which is turned on by default.
after saving, restart the SSH service.
Redhat,centos:service sshd Restart
2. public key generation
Method One (server-generated key pair)
Executing in the server:
Ssh-keygen-t DSA
can get two files,ID_DSA is the private key, Id_dsa.pub is the public key
copy these two files to local windows
Cat. ssh/id_dsa.pub >/home/chengzhi/.ssh/authorized_keys put the public key into the validation file
method Two (by SecureCRT generate a key pair, this method I have not tested)
Click Tools --Create a public key
650) this.width=650; "Src=" Http://s2.51cto.com/wyfs02/M02/88/9D/wKioL1f9rlqDuNoSAAAaY2S10Uo404.png-wh_500x0-wm_3 -wmp_4-s_4290855161.png "style=" Float:none; "title=" Picture 1.png "alt=" Wkiol1f9rlqdunosaaaay2s10uo404.png-wh_50 "/>
650) this.width=650; "Src=" Http://s5.51cto.com/wyfs02/M01/88/A1/wKiom1f9rl2jySusAAAsQE9w628948.png-wh_500x0-wm_3 -wmp_4-s_890192716.png "style=" Float:none; "title=" Picture 2.png "alt=" Wkiom1f9rl2jysusaaasqe9w628948.png-wh_50 "/>
650) this.width=650; "Src=" Http://s5.51cto.com/wyfs02/M02/88/9D/wKioL1f9rl2iB5MZAAAlr9P8vS0082.png-wh_500x0-wm_3 -wmp_4-s_2122453722.png "style=" Float:none; "title=" Picture 3.png "alt=" Wkiol1f9rl2ib5mzaaalr9p8vs0082.png-wh_50 "/>
If you do not fill in the encryption key, the fill is the encryption key
650) this.width=650; "Src=" Http://s3.51cto.com/wyfs02/M00/88/9D/wKioL1f9rnzALQ35AAAtsCSrlSM147.png-wh_500x0-wm_3 -wmp_4-s_2129894818.png "title=" image 4.png "alt=" Wkiol1f9rnzalq35aaatscsrlsm147.png-wh_50 "/>
Key length, usually the default is the line
650) this.width=650; "Src=" Http://s3.51cto.com/wyfs02/M02/88/A1/wKiom1f9roiTXeEoAAArOUFux0U787.png-wh_500x0-wm_3 -wmp_4-s_2320272147.png "title=" image 5.png "alt=" Wkiom1f9roitxeeoaaaroufux0u787.png-wh_50 "/>
Start generating the key
650) this.width=650; "Src=" Http://s4.51cto.com/wyfs02/M00/88/A1/wKiom1f9rq2hvje5AAAkS83D7j8814.png-wh_500x0-wm_3 -wmp_4-s_2433538590.png "title=" image 6.png "alt=" Wkiom1f9rq2hvje5aaaks83d7j8814.png-wh_50 "/>
Copy Identity.pub file to the server, place it in the. SSH subdirectory of the home directory, and execute
Ssh-keygen-x-F identity.pub > Authorized_keys
3. Configure securecrt to use public key authentication
Open Session Options
650) this.width=650; "Src=" Http://s2.51cto.com/wyfs02/M00/88/9D/wKioL1f9rsfBsCg2AAA0GJGgcrs858.png-wh_500x0-wm_3 -wmp_4-s_966749221.png "style=" Float:none; "title=" Picture 7.png "alt=" Wkiol1f9rsfbscg2aaa0gjggcrs858.png-wh_50 "/>
650) this.width=650; "Src=" Http://s2.51cto.com/wyfs02/M01/88/A1/wKiom1f9rsiD8s7eAABJj8RWog0524.png-wh_500x0-wm_3 -wmp_4-s_3637302785.png "style=" Float:none; "title=" Picture 8.png "alt=" Wkiom1f9rsid8s7eaabjj8rwog0524.png-wh_50 "/>
4. Testing
re-use SecureCRT Connect to try, can directly login is successful.
This article from "Trojan Rain Heart" blog, declined reprint!
Configure SECURECRT to log on to a Linux server using SSH public key