SSH key-based logon and password-disabled logon practices
Preface
Whether it's a personal VPS or a server that enterprises allow access to the public network, if the SSH password authentication method for port 22 is enabled, it may also happen frequently when it is cracked by many hackers. Enterprises can use firewalls for restrictions. Common users may also use ports 22, weak passwords, and other protection methods, however, the current relatively safe and simple solution is to enable SSH to log on with a key and disable Password Logon.
This is the most secure login management method.
Update history
April July 07, 2015-first draft
Http://wsgzao.github.io/post/ssh/
Additional reading
SSH principle and application-http://www.ruanyifeng.com/blog/2011/12/ssh_remote_login.html Linode-https://www.linode.com/docs/networking/ssh/use-public-key-authentication-with-ssh Generate PublicKey
We recommend that you set and keep in mind the passphrase phrase. Take Linux as an example.
Linux: ssh-keygen-t rsa
[Private key (id_rsa) and Public Key (id_rsa.pub)]
Windows: SecurCRT/Xshell/PuTTY
[SSH-2 RSA 2048]
# Generate an SSH key pair ssh-keygen-t rsaGenerating public/private rsa key pair. # We recommend that you press Enter to use the default path "Enter file in which to save the key (/root /. ssh/id_rsa): # Enter the passphrase phrase (Press Enter if it is left blank) Enter passphrase (empty for no passphrase): # repeat the password phrase Enter same passphrase again: your identification has been saved in/root /. ssh/id_rsa.Your public key has been saved in/root /. ssh/id_rsa.pub.The key fingerprint is: aa: 8b: 61: 13: 38: ad: b5: 49: ca: 51: 45: b9: 77: e1: 97: e1 root@localhost.localdomainThe key's randomart image is: + -- [RSA 2048] ---- + |. o. | .... |... o | o... o E | o. =. s. |. *. +. | o. *. |. +. |. o. | + --------------- +
Copy key pair
You can also manually create a directory and authorized_keys on the client.
# Copy the public key to a server without a password. If port 22 is changed, run the following command # ssh-copy-id-I ~ /. Ssh/id_rsa.pub "-p 10022 user @ server" ssh-copy-id-I ~ /. Ssh/id_rsa.pub root@192.168.15.241
Modify the SSH configuration file
# Edit the sshd_config file vi/etc/ssh/sshd_config # Disable password verification PasswordAuthentication no # enable key verification RSAAuthentication yesPubkeyAuthentication yes # specify the public key database file AuthorsizedKeysFile. ssh/authorized_keys
We recommend that you keep one more session before restarting the SSH service.
# RHEL/CentOS System service sshd restart # ubuntu System service ssh restart # debian system/etc/init. d/ssh restart
Manually add management users
You can add the user annotation mark after = to facilitate management.
Echo 'ssh-rsa XXX'>/root/. ssh/authorized_keys # review cat/root/. ssh/authorized_keys