SSH key logon makes Linux VPS/server more secure

As PHP becomes more and more popular, Linux VPS/servers are used more and more, and Linux security issues need to be strengthened. If you have installed DenyHosts and set up email reminders, you may receive several DenyHosts reports every day to add the IP address that is used to crack the SSH password to/etc/hosts. deny.

There are two types of Linux SSH Logon:

1. Log On with password verification

Generally, after the VPS or server is activated, the IP address and root password are provided directly. In this way, the password is used to log on. If the password is not strong enough and DenyHosts and other software is not installed to prevent SSH password cracking, there will be a great risk of system security.

2. log on using key verification

For key-based security authentication, you must create a pair of keys for the user and place the keys on the server to be accessed. When you need to connect to the SSH server, the client software sends a request to the server to use the client key for security verification. After receiving the request, the server first looks for a common key under the root directory of the user, and then compares it with the public key sent. If the two keys are consistent, the server uses the public key to encrypt the question and send it to the client software (putty, xshell, etc ). After receiving the question, the client can decrypt it with a local private key and then send it to the server. This method is quite safe.

1. Generate a key

Because the key generated by puttygen may have a problem: "Server refused our key", it is best to use XShell to generate a key or generate a key on a remote Linux VPS/Server.

1. Generate a key on the Linux Remote Server: log on to the remote Linux VPS/server and run: root @ vpser :~ # Ssh-keygen-t rsa// First run this command Generating public/private rsa key pair. enter file in which to save the key (/root /. ssh/id_rsa): // press ENTER Created directory '/root /. ssh '. enter passphrase (empty for no passphrase): // Enter the key Password Enter same passphrase again: // repeat the key password Your identification has been saved in/root /. ssh/id_rsa. // prompt that the public key and private key are already stored in/root /. in the ssh/directory, Your public key has been saved in/root /. ssh/id_rsa.pub.The key fingerprint is: 15: 23: A1: 41: 90: 10: 05: 29: 4c: d6: c0: 11: 61: 13: 23: dd root@vpser.netThe key's randomart image is: +-[RSA 2048] -- + | = & @ Bo + o. o | = o =. E o. o |... |. | S | + ------ + root @ vpser :~ # Save id_rsa and id_rsd.pub under/root/. ssh. 2. Use XShell to generate a key

Xshell is a powerful SSH client in Windows. It can store N multi-sessions by category, supports Tab, and supports multi-key management, it is convenient to manage multiple VPS/servers and use XShell. We recommend that you use XShell.

Download and install XShell, run XShell, and click Tool> User Key Generation Wizard. The following prompt is displayed:

Click Save as file to Save the key as id_rsa.pub.

2. Add the key to a remote Linux Server

1. Use winscp to upload the id_rsa.pub file to/root /. ssh/(if not, create this directory) and rename it to authorized_keys (if the key is generated on the Linux server, run it directly:Mv/root/. ssh/id_rsa.pub/Root/. ssh/authorized_keys), And then execute:Chmod 600/root/. ssh/authorized_keysModify permissions.

 

2. Modify the/etc/ssh/sshd_config file, change the values after RSAAuthentication and PubkeyAuthentication to yes, and save the changes.

3. Restart the sshd service and run Debian/Ubuntu./Etc/init. d/ssh restartCentOS execution:/Etc/init. d/sshd restart.

3. Client test using key login 1. Using putty Login

The private key file used by putty is different from the private key format of the Linux server or XShell. If putty is used, download the id_rsa file generated on the Linux host locally. Run puttygen.exe in the puttyzip package, select Conversions-> Import key and select id_rsa, and enter the password of the key file. The following interface is displayed:

Click Save Private Key to Save the Private Key as id_rsa.ppk.

Run putty and enter root @ Host Name or ip address in Host Name

If the key password is set, enter the key password when Passphrase for key "imported-openssh-key" appears.

If the setting is correct, the logon succeeds and a user prompt is displayed.

2. XShell Logon

Run XShell, select File> New from the menu, and enter the following information as prompted:

Open the created Session

If the setting is correct, the logon succeeds and a user prompt is displayed.

3. Linux client logon Test

Run the following command on the Linux client:Chmod 600/root/id_rsaRun the following command:Ssh root@www.vpser.net-I/root/id_rsa/Root/id_rsa is the private key file. The first link may prompt confirmation, enter yes, and then enter the key and password as prompted. A user prompt will appear if there is no problem.

4. Modify sshd service configuration of remote Linux Server 1. Modify the/etc/ssh/sshd_config file

Change PasswordAuthentication yes to PasswordAuthentication no

2. Restart the sshd service.

Debian/Ubuntu run/etc/init. d/ssh restart; CentOS run:/etc/init. d/sshd restart.

OK. The setting is complete.

Make sure that the id_rsa private key file downloaded from the Putty private key file id_rsa.ppk or the Linux server is saved.