SSH key-based logon and password-disabled logon practices

Source: Internet
Author: User

SSH key-based logon and password-disabled logon practices

Preface

Whether it's a personal VPS or a server that enterprises allow access to the public network, if the SSH password authentication method for port 22 is enabled, it may also happen frequently when it is cracked by many hackers. Enterprises can use firewalls for restrictions. Common users may also use ports 22, weak passwords, and other protection methods, however, the current relatively safe and simple solution is to enable SSH to log on with a key and disable Password Logon.

This is the most secure login management method.

Update history

April July 07, 2015-first draft

Http://wsgzao.github.io/post/ssh/

Additional reading

SSH principle and application-http://www.ruanyifeng.com/blog/2011/12/ssh_remote_login.html Linode-https://www.linode.com/docs/networking/ssh/use-public-key-authentication-with-ssh Generate PublicKey

We recommend that you set and keep in mind the passphrase phrase. Take Linux as an example.

Linux: ssh-keygen-t rsa
[Private key (id_rsa) and Public Key (id_rsa.pub)]
Windows: SecurCRT/Xshell/PuTTY
[SSH-2 RSA 2048]

# Generate an SSH key pair ssh-keygen-t rsaGenerating public/private rsa key pair. # We recommend that you press Enter to use the default path "Enter file in which to save the key (/root /. ssh/id_rsa): # Enter the passphrase phrase (Press Enter if it is left blank) Enter passphrase (empty for no passphrase): # repeat the password phrase Enter same passphrase again: your identification has been saved in/root /. ssh/id_rsa.Your public key has been saved in/root /. ssh/id_rsa.pub.The key fingerprint is: aa: 8b: 61: 13: 38: ad: b5: 49: ca: 51: 45: b9: 77: e1: 97: e1 root@localhost.localdomainThe key's randomart image is: + -- [RSA 2048] ---- + |. o. | .... |... o | o... o E | o. =. s. |. *. +. | o. *. |. +. |. o. | + --------------- +
Copy key pair

You can also manually create a directory and authorized_keys on the client.

# Copy the public key to a server without a password. If port 22 is changed, run the following command # ssh-copy-id-I ~ /. Ssh/id_rsa.pub "-p 10022 user @ server" ssh-copy-id-I ~ /. Ssh/id_rsa.pub root@192.168.15.241
Modify the SSH configuration file
# Edit the sshd_config file vi/etc/ssh/sshd_config # Disable password verification PasswordAuthentication no # enable key verification RSAAuthentication yesPubkeyAuthentication yes # specify the public key database file AuthorsizedKeysFile. ssh/authorized_keys

We recommend that you keep one more session before restarting the SSH service.

# RHEL/CentOS System service sshd restart # ubuntu System service ssh restart # debian system/etc/init. d/ssh restart
Manually add management users

You can add the user annotation mark after = to facilitate management.

Echo 'ssh-rsa XXX'>/root/. ssh/authorized_keys # review cat/root/. ssh/authorized_keys

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.