ssh key authentication
SSH keys prove to be a reliable and secure alternative.
The private key is retained by the client and should be kept absolutely secret.
The public key is uploaded to a remote server that you want to be able to log into with SSH.
The key is added to a special file within the user account you will be logging into called
~/.ssh/authorized_keys
When a client attempts to authenticate using SSH keys, the server can test the client on
whether they are in possession of the private key.
If the client can prove that it owns the private key, a shell session
is spawned or the requested command is executed.
0. 安装openssh-server
在server上配置:
sudo apt-get install openssh-server
查看ssh daemon 是否启动
ps aux | grep sshd
查看server IP
ip addr
在其他机器上ssh password 方式登录server
ssh username@serverIp
1. 生成key pair
ssh-keygen
输出
Generating public/private rsa key pair.
Enter file in which to save the key (/home/username/.ssh/id_rsa):
By default, this will create a 2048 bit RSA key pair, which is fine for most uses.
生成位置/home/username/.ssh/
- private key
id_rsa - public key
id_rsa.pub
Next, you will be prompted to enter a passphrase for the key.
This is an optional passphrase that can be used to encrypt the private key file on disk.
The passphrase serves as an additional layer of protection in case these conditions are compromised.
A passphrase is an optional addition. If you enter one, you will have to provide it every time you use this key.
2. 上传public key 到server
方法1
ssh-copy-id username@remote_host
To use the utility, you simply need to specify the remote host that you would like to connect to
the user account that you have password SSH access to. This is the account where your public SSH key will be copied.
使用前提:
you must already have password-based SSH access to your server.
方法2
cat ~/.ssh/id_rsa.pub | ssh username@remote_host "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys"
3. 验证
ssh username@remote_host
4. 在server上关闭 ssh password 登录方式
sudo vi /etc/ssh/sshd_config
PasswordAuthentication no
On Ubuntu or Debian machines, you can issue this command:
sudo service ssh restart
On CentOS/Fedora machines, the daemon is called sshd:
sudo service sshd restart
After completing this step, you’ve successfully transitioned your SSH daemon to only respond to SSH keys.
