Set Public Key Authentication for SFTP/SSH/SCP access

Source: Internet
Author: User

What is Public Key authentication? This is a authentication method, similar to common user name and password authentication methods. The difference is that a long and long encryption key needs to be retained on the client machine, and the corresponding configuration needs to be made on the server side. When the client wants to access the server, the server checks its configuration and identifies the client based on the user name provided by the client. To put it bluntly, it implements password-free access and provides security measures.

The authentication process briefly indicates that the Public key can only be used to encrypt the data, and the Private key can only decrypt the data encrypted by the matching Public key. We place the Public key in the appropriate location of the remote system, and then start the local ssh connection. In this case, the remote sshd generates a random number and encrypts it with the generated Public key and sends it to the local device. The local device decrypts the random number and sends it back to the remote system. Finally, the remote system's sshd will conclude that we have a matched Private key that allows us to log on.

Client configuration 1. Log On with the client user, and then run the command "ssh-keygen-t dsa" to generate the Public Key and Private Key, for example:
[Root @ someserver ~] # Ssh-keygen-t dsa
Generating public/private dsa key pair.
Enter file in which to save the key (/root/. ssh/id_dsa):/root/. ssh/id_dsa
Enter passphrase (empty for no passphrase ):
Enter same passphrase again:
Your identification has been saved in/root/. ssh/id_dsa.
Your public key has been saved in/root/. ssh/id_dsa.pub.
The key fingerprint is:
Blah: blah root @ someserver

Ii. Set permissions
Chmod 700 ~ /. Ssh
Chmod 600 ~ /. Ssh/id_rsa
Chmod 644 ~ /. Ssh/id_rsa.pub

Server Configuration 1. Find the sshd_config file in the directory/etc/or/etc/ssh/or/etc/conf. d/and open it in the vi editor.
2. Enable RSAAuthentication and PubkeyAuthentication, and specify the location of the authorized_keys file at the same time. The settings are as follows:
RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile ~ /. Ssh/authorized_keys
3. Update and save the sshd_config file, run the command "service sshd restart" to restart the service, different versions of Linux service Startup Mode see: http://theos.in/desktop-linux/tip-that-matters/how-do-i-restart-linux-network-service/
4. The above three steps only enable the password-free authentication function. To make this function take effect, you must configure the Public Key generated by the client to the authorized_keys file of the server. Copy the previously generated id_rsa.pub file from the client to authorized_keys. If there are multiple clients, copy the Public Key generated by each client. Note the line feed and one client line.

Test 1. log on to the client, run the command "ssh username @ servername", and run the command "ssh-vvv-o PreferredAuthentications = publickey username @ servername" to force the Public Key verification method.
2. To test SFTP, run the "sftp username @ servername" command"

Note: The owner and group of the ssh directory use the current user and user group.
Keep the. ssh directory 700
The authorized_keys permission is 644.
The id_rsa permission is 600.
The id_rsa.pub permission is 644.
Check that the user's $ HOME directory permission must be 755

Reference http://tutorialgenius.blogspot.hk/2012/02/unixlinux-setting-up-public-key.html
Http://blog.csdn.net/goalking019/article/details/4925696
Http://www.comodo.com/resources/small-business/digital-certificates2.php

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.