First make sure your system has openssl installed
openssl -V
# Under normal circumstances, a large number of content will be returned. If it prompts -bash: openssl: command not found, it means that it is not installed. Use the following command to install:
# CentOS system:
yum install openssl -y
# Debian/Ubuntu system
apt-get install openssl -y
Generate key pair
When we execute the following command, the ssh key pair (private key + public key) will be generated, which is generated according to the following prompts.
ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
# Enter the location of the key file to be saved, and press Enter directly.
Created directory'/root/.ssh'.
Enter passphrase (empty for no passphrase):
# Enter the password of the key, you can directly enter and leave it blank, or you can enter the password to further enhance security (key + password double insurance)
Enter same passphrase again:
# Repeat the key password
Your identification has been saved in /root/.ssh/id_rsa.
# Your private key location /root/.ssh/id_rsa
Your public key has been saved in /root/.ssh/id_rsa.pub.
# Your public key location /root/.ssh/id_rsa.pub
The key fingerprint is:
7c:25:bd:54:f5:fc:60:c0:86:c1:a0:32:7d:8a:80:c4 root@debian
The key's randomart image is:
+--[ RSA 2048]----+
| .o.+..o..|
| o.. o o + o.|
|. E o.. .O + o|
|. + + o o o.|
|.. S.. .|
|. |
|. |
| |
| |
+-----------------+
Configure server public key
After generating the key pair, we need to configure it on the server before it can be used:
Configure public key
cd .ssh
# Enter the .ssh directory
ls -a
#. .. id_rsa id_rsa.pub
# View the public key (id_rsa.pub) and private key (id_rsa) under the current folder (/root/.ssh/)
mv id_rsa.pub authorized_keys
# Rename the public key (id_rsa.pub)
ls -a
#. .. authorized_keys id_rsa
# Check again if the public key under the current folder (/root/.ssh/) is successfully renamed
chmod 600 authorized_keys
chmod 700 ~/.ssh
# Then modify the permissions of the key file to avoid being modified/deleted by other users.
# chmod 600-Only the owner has read and write permissions.
# chmod 700-Only the owner has read, write, and execute permissions.
Configure SSH
Then we need to configure SSH, and we need to enable the Key key login option (usually it is enabled by default)
vi /etc/ssh/sshd_config
Open the configuration file and find the following parameters:
RSAAuthentication yes
PubkeyAuthentication yes
# yes means open key login
Generally, yes is turned on by default, if not, then change to yes.
Then restart SSH:
/etc/init.d/ssh restart
# If this prompt does not find the service, then try /etc/init.d/sshd restart
# CentOS7 then use: systemctl restart sshd
Configure client private key
After the server is configured, we also need to configure the SSH connection client.
Retrieve the private key locally
cat /root/.ssh/id_rsa
# If the private key generation location is different, change it yourself
First, we read the id_rsa key file, and then a large number of keys will be output on the screen. We create a new text file on the local computer, and copy the key on the screen and write it into the file. The file is named id_rsa ( The name is arbitrary, but the key file must be saved!).
# The key file is like this
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,EA47822BC49A9E56338A99D07084DA38
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
...
...
-----END RSA PRIVATE KEY-----
SSH connection tool can import the private key connection
Xshell import private key
First, open the properties of the current session-connection-user authentication.
Select Public Key as the user authentication method, and then we click the Browse button.
In the user key management window, click the Import button and select the private key file id_rsa we just retrieved.
After selection, you will be asked to enter the private key password. If you set the password when generating the key pair above, then enter the password, otherwise leave it blank. Then click the OK button to continue.
Select the user key you just added and click the OK button. (For better identification, you can rename the name to avoid confusion about which server the key belongs to)
At this time, we return to the user authentication setting window, we fill in the user name: root, password: the password of the user key, and click the OK button.
Then we can disconnect the server connection, and then try to reconnect to the server (connect with the key). If something goes wrong, it's okay. We haven't closed the password login yet. You can also log in with the password to troubleshoot.
If it is determined that the Key can be used to log in normally, then we need to turn off the password login method.
Turn off password login
We open the SSH configuration file and find the following parameter.
vi /etc/ssh/sshd_config
# By default this parameter option is no, if not, change to no, if there is a comment character # in front of it, then remove #
PasswordAuthentication no
Finally restart SSH:
/etc/init.d/ssh restart
# If this prompt does not find the service, then try /etc/init.d/sshd restart
other instructions
Multiple servers share the same key
When you have many servers, but you don't want to generate a separate key for each server, then you can share a key for multiple servers.
The public key location is also the same as the above tutorial. Assuming that we are a ROOT user, then create a new .ssh directory under the /root directory:
mkdir /root/.ssh
Then upload one of your public keys (authorized_keys) to the /root/.ssh directory of other servers via FTP/SFTP
Or write to the /root/.ssh directory of other servers by reading and writing
cat authorized_keys
# Read the content of your public key file on the server, if you can directly open the copied content locally
echo -e "xxxx"> /root/.ssh/authorized_keys
# Then change the xxxx of the above code to the content of the public key file you copied, and then use the above command to write it into the /root/.ssh/authorized_keys file.
