SSH key login makes Linux vps/server more secure

As PHP becomes more popular, Linux vps/servers are used more and more, and Linux security issues need to be enhanced, if you install denyhosts and set up email reminders, you may be subject to several letters each day denyhosts The reporting will come to break the SSH password IP join/etc/hosts.deny.

There are two types of Linux ssh logins:

1, the use of password Authentication login

Typically, a VPS or server is provided with a direct IP and root password, which is the way to log in by using a password. If the password is not strong enough, and do not install denyhosts and so on to prevent SSH password cracking software, then the system security will have a great hidden danger.

2. Use key to verify login

Security authentication based on key must create a pair of keys for the user himself and place the shared key on the server that needs to be accessed. When a connection to an SSH server is required, the client software sends a request to the server requesting security authentication using the client's key. After the server receives the request, it first looks for a common key under the user's root directory and compares it to the public key that was sent over. If two keys are consistent, the server encrypts the "challenge" with the public key and sends it to the client software (Putty,xshell, etc.). After a client receives a challenge, it can be decrypted and sent to the server with a local private key, which is quite secure.

First, generate the key

Because Puttygen generated key problems may occur: "Server refused our key", it is best to use Xshell to generate the key or to generate the key on the remote Linux vps/server.

1. Generate key on Linux remote server:

Log on to a remote Linux vps/server and execute:

root@vpser:~# ssh-keygen-t RSA//Run this command first

Generating public/private RSA key pair.

Enter file in which to save the key (/ROOT/.SSH/ID_RSA)://Direct return

Created directory '/root/.ssh '.

Enter passphrase (empty for no passphrase)://Enter key password

Enter same Passphrase again://Repeat Key password

Your identification has been saved In/root/.ssh/id_rsa. Tip the public and private keys are already stored in the/root/.ssh/directory

Your public key has been saved in/root/.ssh/id_rsa.pub.

The key fingerprint is:

15:23:A1:41:90:10:05:29:4C:D6:C0:11:61:13:23:DD root@vpser.net

The key ' s Randomart image is:

+–[RSA 2048]--+

|=& @Bo +o o.o |

|=o=. E O. o |

| . . . |

| . |

| S |

| |

| |

| |

| |

+ ————— –+

root@vpser:~#

The Id_rsa and id_rsd.pub below/root/.ssh/are properly preserved.

2, use Xshell to generate the key

Xshell is a powerful SSH client under Windows, can save n multiple sessions by category, Support tab, support multiple Key management and so on, the management of more vps/server using Xshell is relatively convenient, recommended use.

Download Xshell, install, Run Xshell, click menu: Tool->user Key Generation Wizard, the following prompts appear:

Click Save as file to save the key as Id_rsa.pub.

Add a key to a remote Linux server

1, with WinSCP, upload the id_rsa.pub file to/root/.ssh/below (if not to create this directory), and rename it to: Authorized_keys (if the key generated on the Linux server is executed directly: mv/root/.ssh/ Id_rsa.pub/root/.ssh/authorized_keys), and then execute: chmod 600/root/.ssh/authorized_keys Modify Permissions.

2, modify the/etc/ssh/sshd_config file, the rsaauthentication and pubkeyauthentication after the value are changed to Yes, save.

3, restart sshd service, Debian/ubuntu implement/ETC/INIT.D/SSH restart; CentOS execution:/etc/init.d/sshd restart.

Third, client testing using key login

1, using Putty Login

Putty uses a private key file that is different from a Linux server or Xshell private key format, and if you use putty, you need to download the Id_rsa files that are generated on the Linux host locally. Run Putty compression package inside the Puttygen.exe, select Conversions->import key to select the private key file Id_rsa, enter the key file password, the following interface will appear:

Click "Save private Key" to save the private key as ID_RSA.PPK

Run putty, fill in Host name: root@ hostname or IP

If a key password is set, the key password is entered when: Passphrase for key "Imported-openssh-key".

If the settings are not a problem, the login succeeds and a user prompt appears.

2, Xshell Login

Run Xshell, select Menu file->new and fill in the following prompts:

Open the Create a good session

If the settings are not a problem, the login succeeds and a user prompt appears.

3. Linux Client Login Test

Execute on Linux client: chmod 600/root/id_rsa: SSH root@www.vpser.net-i/root/id_rsa/root/id_rsa as private key file, first link may prompt confirmation, enter Yes, Then press the prompt to enter the key password, no problem will appear the user prompt.

Iv. Modify Remote Linux server sshd service configuration

1. Modify/etc/ssh/sshd_config File

Modify Passwordauthentication Yes to Passwordauthentication no

2. Restart SSHD Service

Debian/ubuntu executes/etc/init.d/ssh restart; CentOS execution:/etc/init.d/sshd restart.

OK, Setup is complete.

Again, be sure to keep the Putty private key file ID_RSA.PPK or Linux server downloaded ID_RSA private key file