SSH use key login and prohibit password login practice

Objective

Whether it is the personal VPS or the enterprise allows public access to the server, if the open 22-Port SSH Password login authentication method, by many hacker violence to guess the broken chrysanthemum can also be a frequent tragedy. Enterprises can be restricted through firewalls, ordinary users may also be modified by 22 port and strengthen the weak password, such as protection, but the relatively safe and simple scenario is to let SSH use key login and prohibit password login.

This is the most relatively secure way to manage logins

Update history

July 07, 2015-First draft

Read the original-http://wsgzao.github.io/post/ssh/

Extended Reading

• SSH principle and application-http://www.ruanyifeng.com/blog/2011/12/ssh_remote_login.html
• Linode-https://www.linode.com/docs/networking/ssh/use-public-key-authentication-with-ssh

Generate PublicKey

It is recommended to set and remember the passphrase passphrase as an example of Linux generation

LINUX:SSH-KEYGEN-T RSA
[Private key (ID_RSA) and public Key (Id_rsa.pub)]
Windows:securcrt/xshell/putty
[SSH-2 RSA 2048]

#生成SSH密钥对SSH-KEYGEN-T rsagenerating public/private RSA key pair.#建议直接回车使用默认路径Enter fileinchWhich to save the key (/ROOT/.SSH/ID_RSA):#输入密码短语 (leave blank then enter directly)Enter Passphrase (empty forNo passphrase):#重复密码短语Enter same passphrase Again:your identification has been savedinch/root/.ssh/id_rsa. Your public key has been savedinch/root/.ssh/id_rsa.pub.the Key fingerprint Is:aa:8B: A: -: -: ad:b5: the: CA:Wuyi: $: B9: the: E1: the: E1 [Email protected]the key' s randomart image is:+--[RSA 2048]----+|          . O.    ||   .. .     .   ||  . . . o O | | O.. . o E | | o.=.      S. ||.         *.+   . ||          O.*. || .           + .  || . O. |+-----------------+

Copy key pair

You can also manually set up directories and Authorized_keys on the client, notice the Modify permissions

#复制公钥到无密码登录的服务器上,22端口改变可以使用下面的命令#ssh-copy-id -i ~/.ssh/id_rsa.pub "-p 10022 [email protected]"ssh-copy-id -i ~/.ssh/id_rsa.pub [email protected]192.168.15.241

Modify the SSH configuration file

#编辑sshd_config文件vi /etc/ssh/sshd_config#禁用密码验证PasswordAuthentication no#启用密钥验证RSAAuthentication yesPubkeyAuthentication yes#指定公钥数据库文件AuthorsizedKeysFile .ssh/authorized_keys

It is recommended to keep one more session before restarting the SSH service safekeeping

#RHEL/CentOS系统service sshd restart#ubuntu系统service ssh restart#debian系统/etc/init.d/ssh restart

Manually add administrative users

can be added after = = User Comment Identification easy to manage

echo‘ssh-rsa XXXX‘ >>/root/.ssh/authorized_keys# 复查cat /root/.ssh/authorized_keys

Copyright NOTICE: This article for Bo Master original article, without Bo Master permission not reproduced.

SSH use key login and prohibit password login practice