Article Directory
The sshd service supports two authentication methods:
1. Password verification Verify
the login name and password of the local system user in the server. Simple, but may be brute-forced
2. Key pair verification The
matching key information is required to pass the verification. Usually, a pair of key files (public key, private key) are created in the client first, and then the public key file is placed in the specified location on the server. When logging in remotely, the system will use the public key and private key to verify the encryption/decryption association. Can enhance security, and can avoid interactive login.
当密码验证、密钥对验证都启用时,服务器将优先使用密钥对验证。可根据实际情况设置验证方式。
vim /etc/ssh/sshd_config
PasswordAuthentication yes #启用密码验证
PubkeyAuthentication yes #启用密钥对验证
AuthorizedKeysFile .ssh/authorized_keys #指定公钥库文件
Configure key pair verification (Method 1)
1. Create a key pair on the client
通过ssh-keygen工具为当前用户创建密钥对文件。可用的加密算法为RSA、ECDSA或DSA等(ssh-keygen命令的“-t”选项用于指定算法类型)。
useradd admin
echo "123123" | passwd --stdin admin
su - admin
ssh-keygen -t ecdsa
Generating public/private ecdsa key pair.
Enter file in which to save the key (/home/admin/.ssh/id_ecdsa): #指定私钥位置,直接回车使用默认位置
Created directory '/home/admin/.ssh'. #生成的私钥、公钥文件默认存放在宿主目录中的隐藏目录.ssh/下
Enter passphrase (empty for no passphrase): #设置私钥的密码
Enter same passphrase again: #确认输入
ls -l .ssh/id_ecdsa*
#id_ecdsa是私钥文件,权限默认为600;id_ecdsa.pub是公钥文件,用来提供给 SSH 服务器
2. Upload the public key file to the server
scp ~/.ssh/id_ecdsa.pub root@192.168.80.10:/opt
3. Import the public key text in the server
mkdir /home/zhangsan/.ssh/
cat /opt/id_ecdsa.pub >> /home/zhangsan/.ssh/authorized_keys
cat /home/zhangsan/.ssh/authorized_keys
4. Use key pair authentication on the client
ssh zhangsan@192.168.80.10
lisi@192.168.80.10's password: #输入私钥的密码
5. Set the ssh proxy function on the client to realize interactive login
ssh-agent bash
ssh-add
Enter passphrase for /home/admin/.ssh/id_ecdsa: #输入私钥的密码
ssh zhangsan@192.168.80.10
Configure key pair verification (Method 2)
1. Create a key pair on the client
通过ssh-keygen工具为当前用户创建密钥对文件。可用的加密算法为RSA、ECDSA或DSA等(ssh-keygen命令的“-t”选项用于指定算法类型)。
ssh-keygen -t ecdsa
Generating public/private ecdsa key pair.
Enter file in which to save the key (/home/admin/.ssh/id_ecdsa): #指定私钥位置,直接回车使用默认位置
Created directory '/home/admin/.ssh'. #生成的私钥、公钥文件默认存放在宿主目录中的隐藏目录.ssh/下
Enter passphrase (empty for no passphrase): #设置私钥的密码
Enter same passphrase again: #确认输入
ls -l .ssh/id_ecdsa*
#id_ecdsa是私钥文件,权限默认为600;id_ecdsa.pub是公钥文件,用来提供给 SSH 服务器
2. Upload the public key file to the server
此方法可直接在服务器的/home/zhangsan/.ssh/目录中导入公钥文本
cd ~/.ssh/
ssh-copy-id -i id_ecdsa.pub zhangsan@192.168.80.10
4. Use key pair authentication on the client
ssh zhangsan@192.168.80.10
lisi@192.168.80.10's password: #输入私钥的密码
5. Set the ssh proxy function on the client to realize interactive login
ssh-agent bash
ssh-add
Enter passphrase for /home/admin/.ssh/id_ecdsa: #输入私钥的密码
ssh zhangsan@192.168.80.10
