Generate key pair
Use SSH-keygen to generate a key pair. For example, to generate a 4096bit key pair using the DSA encryption algorithm, enter the following command (for detailed parameters, see man ssh-keygen ):
# Ssh-keygen-B 4096-T DSA |
% Ssh-keygen-B 4096-T DSA |
Generating public/private dsa key pair. Enter file in which to save the key (/home/fdy84/. ssh/id_dsa ): |
(The path of the key pair to be stored. The default path is in brackets) Created directory '/home/fdy84/. Ssh '. Enter passphrase (empty for no passphrase ): (Enter the password) Enter same passphrase again: (Enter the password again. Do not forget it. Otherwise, only the new key will be generated) Your identification has been saved in/home/fdy84/. Ssh/id_dsa. (Your private key) Your public key has been saved in/home/fdy84/. Ssh/id_dsa.pub. (Your public key) The key fingerprint is: BB: 1b: F5: 1c: 77: 62: 90: 21: 59: 7e: C6: 65: E5: 24: C6: E5 fdy84 @ FreeBSD |
Key Distribution
I just generated a pair of keys and put the private key on my machine ~ /. Ssh/directory and ensure that the access permission is "-RW -------" (that is, 600 ). Then place the generated public key on the remote host to be connected ~ The/. Ssh/directory is renamed as authorized_keys, and the file is not authorized to be modified except for the owner.
4. Configure SSH
Configure the server
To start the SSH server, you only need to run
You can. Or add it to/etc/rc. conf.
Sshd_enable = "yes"
You can automatically run the SSH server at each startup.
The configuration file of the SSH server is "/etc/ssh/sshd_config", and the server configuration files of openssh1.x and 2.x are all used for this file.
Configure the client
To connect a client to a remote server, you only need to enter
# Ssh domain name (or ip)
You can.
For example, if you want to use the fdy84 user to connect to a remote server with the IP address 192.168.0.6, you need to enter
# SSH 192.168.0.6-l fdy84 |
If the configuration is correct, you can connect to the remote server.
1. Use SecureCRT to create the private key and public key.
Securecrt: Quick connect-> authentiation-> Public Key-> properties-> create identity file-> DSA/RSA-> set passphrase-> done
At this time, two files are generated in the specified directory, for example, the private key my_rsa and the Public Key my_rsa.pub.
2. Create a. ssh directory on the linux server. Normally, this directory already exists.
# Mkdir/root/. SSH
# Chmod 700/root/. SSH
3. Upload the Public Key my_rsa.pub to the linux server and convert the public key in the SSH2 compatible format to the Openssh compatible format.
# Ssh-keygen-I-f identity. Pub>/root/. Ssh/authorized_keys2
# Chmod 600/root/. Ssh/authorized_keys2
4. Set the logon mode to PublicKey in SecureCRT and select the my_rsa file you just created as the private key.
5. Restart the SSH server on the Linux Server
# Service sshd restart or/etc/rc. d/init. d/sshd restart
6. Because you have set a key to log on, you can remove the original password.
# Vi/etc/ssh/sshd_config
Protocol 2/Only SSH2 is allowed
Pubkeyauthentication Yes/* enable publickey Authentication
Authorizedkeysfile. Ssh/authorized_keys2/* publickey file path
Passwordauthentication no/* password verification prohibited Login
PS: the above steps use the key pair generated by securecrt for Logon verification. In fact, you can also use the key generated by the ssh-keygen command on the server. After the key pair is generated, convert the format to the SSH2 format used by securecrt
Chen Xu: the conversion key format in step 3 is easy to ignore. Pay attention to this.
Note thatThe format of the key pair generated by SecureCRT is different from that generated by OpenSSH. Both of them can only recognize their own key format, therefore, when using SecureCRT to connect to OpenSSH, they must use their own key format, you can use any method to generate and then use ssh-keygen-I to convert the key generated by SecureCRT into the OpenSSH key format, alternatively, use ssh-keygen-e to convert the OpenSSH key format to the ietf secsh format that can be recognized by SecureCRT.
Although SSH provides password-based login, I do not recommend this login based on security considerations. In view of the current speed of the machine, we recommend that you use a 4096-bit key to enhance security.