配置CentOS密钥验证登录

用密码登录SSH好不方便,并且安全性不高,为了提升安全性那我们就用密钥登录.

本地环境:OS X,估计是Linux就可以.

1.在远程服务器上创建密钥对.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
# create key pair

[cent@dlp ~]$ ssh-keygen -t rsa

Generating public/private rsa key pair.
Enter file in which to save the key (/home/cent/.ssh/id_rsa): # 路径默认,直接回车

Created directory '/home/cent/.ssh'.
Enter passphrase (empty for no passphrase): # 设置密钥密码,直接回车,不用设置

Enter same passphrase again:#再次输入密码,直接回车

Your identification has been saved in /home/cent/.ssh/id_rsa.
Your public key has been saved in /home/cent/.ssh/id_rsa.pub.
The key fingerprint is:
38:f1:a4:6d:d3:0e:99:c8:fa:1d:1d:48:86:f0:fe:74 cent@dlp.server.world
The key's randomart image is:

[cent@dlp ~]$ mv ~/.ssh/id_rsa.pub ~/.ssh/authorized_keys#将id_rsa.pub中的公钥复制到authorized_keys中

[cent@dlp ~]$ chmod 600 ~/.ssh/authorized_keys #修改authorized_keys权限为拥有者可读写

2.将远程服务器上的私钥下载到本地用于登录远程服务器

以下是本地操作

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
 [cent@www ~]$ mkdir ~/.ssh    #创建文件夹

[cent@www ~]$ chmod 700 ~/.ssh #修改文件夹权限为拥有者可'读,写,执行'
# copy the secret key to local ssh directory

[cent@www ~]$ scp cent@10.0.0.30:/home/cent/.ssh/id_rsa ~/.ssh/ #将远程的私钥下载到本地,这要注意路径,如果用root登录的,路径是:/root/.ssh/id_rsa

cent@10.0.0.30's password: #输入远程服务器密码
id_rsa
[cent@www ~]$ ssh -i ~/.ssh/id_rsa cent@10.0.0.30 #现在就可以用这条命令登录远程服务器了

Enter passphrase for key '/home/cent/.ssh/id_rsa': # 刚才密钥没设置密码,所以不会出现

Last login: Wed Jul 30 21:37:19 2014 from www.server.world
[cent@dlp ~]$ # 登录成功

3.简化登录

本地机器执行下面代码:

1
vi ~/.ssh/config

加入下面一段内容:

1
2
3
4
5
6
Host server  #别名,域名缩写
HostName jingxuetao.com #完整的域名
User root #登录该域名使用的账号名
PreferredAuthentications publickey #加不加都一样,SSH会优先密钥登录
IdentityFile ~/.ssh/id_rsa #私钥文件的路径
#删掉#号后面的中文,包括这句

上面配置完了之后就可以通过ssh server或者ssh jingxuetao.com来登录远程服务器了.

4.关闭密码验证登录

操作远程服务器

1
vi /etc/ssh/sshd_config

找到PasswordAuthentication将其值改为no

1
PasswordAuthentication no

最后用systemctl restart sshd或者service sshd restart重启SSH服务

好了,sshd_config文件中除了配置PasswordAuthentication这条之外其他的并不用配置,还是被注释状态

保存到本地的密钥,最好备份到网盘一份.

本文参考:server-world

–EOF–