[Linux] How to disable the use of passwords only allows the use of keys to establish an SSH connection

Source: Internet
Author: User

1. Create SSH KEY

Use Ssh-keygen to generate a key pair and register the public key with the server's $HOME/.ssh/authorized_keys file.

2. Ensure that the SSH public key authentication feature is enabled

Check the/etc/ssh/sshd_config file to make sure the following two are yes:

Rsaauthentication yespubkeyauthentication Yes

Generally they are yes by default, and if not, modify to Yes to save and restart the SSH service:

$ sudo SSH Reload

3. Prohibit Password security verification

Edit the/etc/ssh/sshd_config file to make sure that the following appears in the file:

Challengeresponseauthentication nopasswordauthentication Nousepam No

Save and restart the SSH service:

sudo SSH Restart

If you are currently logged in as an SSH connection, restarting the service may fail, and you can try restarting the system.

4. Prohibit specific conditions to log in with a password

Sometimes we do not want to prohibit all users password login, you can configure the Sshd_config file to achieve the login settings for specific objects.

Use the $ man sshd_config to view help information. Sshd_config supports adding the match chunk to the file, and if the match keyword matches the condition of the row, all the keywords will be loaded one after the other until they meet the other match keyword or end of the file. So the generic Match chunk is added at the end of the Sshd_config file.

The criteria supported by the Match keyword include User, Group, Host, and Address, conditional styles are a single string, multiple styles are separated by commas, and wildcard characters (*) and negation symbols (!) are used.

The address conditional style can be in CIDR (address/mask) format, for example: 192.0.2.0/24 or 3FFE:FFFF::/32.

For example, prohibit user foo, user group bar login with password, add the following at the end of the/etc/ssh/sshd_config file:

Match User foo, Group bar    passwordauthentication No

Prohibit users other than user Foo from using passwords to log in:

Match User *,! Foo    Passwordauthentication No

The keywords supported by the Match block include:

Allowagentforwarding, Allowtcpforwarding, Authorizedkeysfile, Authorizedprincipalsfile, Banner, ChrootDirectory, Forcecommand, Gatewayports, Gssapiauthentication, Hostbasedauthentication, Hostbasedusesnamefrompacketonly, Kbdinteractiveauthentication, Kerberosauthentication, Maxauthtries, MaxSessions, Passwordauthentication, Permitemptypasswords, Permitopen,  permitrootlogin, Permittunnel, Pubkeyauthentication, RhostsRSAAuthentication , Rsaauthentication, X11displayoffset, x11forwarding, X11uselocalhost.

  

  

[Linux] How to disable the use of passwords only allows the use of keys to establish an SSH connection

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.