1. generate the key file
[centos2 the root @ ~] # SSH-keygen -t -b RSA 2048 - T specified encryption type -b specify the key length of the encryption
inquiry 1: the implementation process will be asked to save the location, usually the default saved in the current user's home directory under .ssh / directory
inquiry 2: whether to encrypt the key file
encryption: if the encryption key file at the time of call need to verify the cryptographic key, the correct password to use the key file
is not encrypted: without encryption, key documents can be directly invoked, the entire login authentication process without entering any password, secret login that is free
2. The public key is uploaded to the target server
[root@centos2 ~]# ssh-copy-id [email protected]
3. Log in
[root@centos2 ~]# ssh [email protected]
4. Some optimization
4.1 prohibit the use of password
Configuration file: / etc / ssh / sshd_config
Options:
PasswordAuthentication no
Note: ssh configuration file, not commented just do not take effect, and some is the default, you must be uncommented when you need to modify
4.2 prohibit the use of remote root login
Configuration file: / etc / ssh / sshd_config
Options:
PermitRootLogin no
4.3 modify the default port, ssh listens IP restrictions
Modify the default port: ssh as a tool for managing the server remotely, requires special security, use the default TCP port 22 of the case, if not modified, it is easy to exploit attack, so we usually modify the port, as far as possible a modified upper port (range 1-65535)
Configuration file: / etc / ssh / sshd_config
Options:
Port 25535
ssh -p 25535 [email protected]
Limit ssh monitor IP: Some servers higher level of security is not permitted outside the network log in directly, only through a local area network to log on, we can set one of them can be connected to external networks remotely in the engine room, the other hosts through this remote connection to the machine
Configuration file: / etc / ssh / sshd_config
Options:
ListenAddress 192.168.80.128