1. Common sense about SSH
SSH (Secure Shell) is a protocol that can safely log in and access remote Linux hosts. Of course, the premise is that the remote linux host must deploy and configure the sshd service (Linux installs this service by default).
The sshd service of the remote linux host can provide two security authentication methods, which can allow us to log in and access remotely.
1) Password-based verification-user account and password to verify login.
2) Key-based authentication-it is necessary to generate a key pair, where the private key in the key pair must be stored in the client; and the public key in the key pair must be stored in the remote host, and the name must be authorized_keys.
2. Key pair creation and distribution
Assuming that the remote host ip is: 192.168.10.10
1. The client is a linux system, and ensure that it can access the remote host
1) Created by ssh-keygen command
[root@hollowman ~]# ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): 按回车键接受默认存储路径或者手动设置存储路径
Created directory '/root/.ssh'.
Enter passphrase (empty for no passphrase): 按回车键保持空密码或者设置密钥密码
Enter same passphrase again: 再次回车确认空密码或设置新密码
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
d7:1b:9f:65:fd:9b:43:26:c3:8a:26:8f:04:98:2b:0a [email protected]
The key's randomart image is:
+--[ RSA 2048]----+
| |
| |
| |
| o . .|
| o . S . + +|
| . . . B *.|
|E. . . . o B .|
|o . ...o . .o|
|. .+. o.|
+-----------------+
At this point, the key pair is successfully created and saved in the /root/.ssh directory, where the private key is id_rsa and the public key is id_rsa.pub
[root@hollowman ~]# ls /root/.ssh/
id_rsa id_rsa.pub
2) Upload the public key to the remote host
[root@hollowman ~]# ssh-copy-id 192.168.10.10
This command uploads the public key (id_rsa.pub) in the ssh key pair in the client to the /root/.ssh directory on the remote host, and is automatically namedauthorized_keys
3) Note that the /root/.ssh directory must have 7 permissions, and authorized_keys must have 6 permissions
2. The client is windows
Connect through remote SSH protocol tools (winscp, XShell, PuTTY, etc.), provided that you can log in through password-based authentication.
1) Generate a key pair through the remote host, and copy the private key to the client (winscp can be implemented) for import and use by the SSH protocol tool in the client .
You can also generate a key pair through the SSH protocol tool in the client, and upload the public key to the remote host (winscp can also be implemented);
2) Ensure that the public key path and name format in the remote host are correct (/root/.ssh/authorized_keys), and delete the private key (id_rsa)
[root@hollowman ~]# cd /root/.ssh
[root@hollowman .ssh]# mv id_rsa.pub authorized_keys
[root@hollowman .ssh]# rm -f id_rsa
[root@hollowman .ssh]# ls
authorized_keys
3) The client SSH protocol tool imports the private key (id_rsa), and accesses the remote host through key-based authentication
3. Modify the ssh configuration file (note that it is sshd_config instead of ssh_config)
[root@hollowman .ssh]# vim /etc/ssh/sshd_config
Port 22 //配置远程登录端口,默认为22端口
PubkeyAuthentication yes // 授权密钥方式登录,默认允许
AuthorizedKeysFile .ssh/authorized_keys // 授权密钥文件路径及名称,也就是为什么公钥要改名的原因
PasswordAuthentication yes // 授权口令方式登陆,默认允许
[root@hollowman .ssh]# systemctl restart sshd