Generally, SSH clients such as PuTTY are used to remotely manage Linux servers. However, the general password login method is prone to the problem of password cracking by brute force. Therefore, generally we will set the SSH port to a port other than the default 22, or disable root account login. In fact, there is a better way to ensure security, and allow you to safely log in from the root account from remote - and that is to log in by key.
The principle of key form login is to use a key generator to create a pair of keys—a public key and a private key. Add the public key to an account on the server, and then use the private key on the client to complete authentication and log in. This way, without the private key, no one can remotely log into the system by brute-forcing your password via SSH. In addition, if the public key is copied to another account or even the host, the private key can also be used to log in.
Here's how to create a key pair on a Linux server, add the public key to the account, set up SSH, and finally log in through the client.
1. Make a key pair
First make a key pair on the server. First log in with the password to the account you intend to log in with the key, then execute the following command:
[root@host ~]$ ssh-keygen <== create key pair Generating public/private rsa key pair. Enter file in which to save the key (/root/.ssh/id_rsa): <== 按 Enter Created directory '/root/.ssh'. Enter passphrase (empty for no passphrase): <== Enter the passphrase, or press Enter to leave it blank Enter same passphrase again: <== Enter the passphrase again Your identification has been saved in /root/.ssh /id_rsa. <== private key Your public key has been saved in /root/.ssh/id_rsa.pub. <== public key The key fingerprint is: 0f:d3:e7:1a:1c:bd:5c:03:f1:19:f1:22:df:9b:cc:08 root@host
The key lock code must be entered when using the private key, so that the private key can be protected from being stolen. Of course, it can also be left blank to achieve passwordless login.
Now, a hidden .ssh directory with two key files is generated in the root user's home directory. id_rsa is the private key, and id_rsa.pub is the public key.
2. Install the public key on the server
Install the public key on the server by typing:
[root@host ~]$ cd .ssh [root@host .ssh]$ cat id_rsa.pub >> authorized_keys
This completes the installation of the public key. To ensure a successful connection, please ensure the following file permissions are correct:
[root@host .ssh]$ chmod 600 authorized_keys [root@host .ssh]$ chmod 700 ~/.ssh
3. Set up SSH and turn on the key login function
Edit the /etc/ssh/sshd_config file and make the following settings:
RSAAuthentication yes PubkeyAuthentication yes
Also, note whether the root user can log in via SSH:
PermitRootLogin yes
After you have completed all settings and successfully logged in with the key, disable password login:
PasswordAuthentication no
Finally, restart the SSH service:
[root@host .ssh]$ service sshd restart
4. Download the private key to the client and convert it to a format that PuTTY can use
Use WinSCP , SFTP and other tools to download the private key file id_rsa to the client machine. Then open PuTTYGen , click the Load button in Actions, and load the private key file you just downloaded. If you just set the key lock code, you need to enter it at this time.
After successful loading, PuTTYGen will display key related information. Type a description of the key in the Key comment, and then click the Save private key button to save the private key file in a format that PuTTY can use.
In the future, when you use PuTTY to log in, you can select your private key file at Private key file for authentication: in Connection -> SSH -> Auth on the left, and then you can log in. You only need to enter the key during the process. Just lock the code.
5. If you do not need certificate authentication to log in, just delete the related files created under ~/.ssh.