- 生成SSH密钥 (客户机端)
执行ssh-keygen -t rsa命令创建RSA密钥对,执行结果如下(键入3次回车):
[root@node01 .ssh]# ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): [回车]
Enter passphrase (empty for no passphrase): [回车]
Enter same passphrase again: [回车]
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:wE9FYDCaUVqNYM0a/1T0D9t3S9sFwAscxBlsgod4TCA root@Server-i-sbnv1kiesu
The key's randomart image is:
+---[RSA 2048]----+
| E =X**oOB=. |
| ooBOo+.O... |
| +=o..+ .o.. |
| . .+. .= . |
| oS . o.+|
| . ..*|
| o.|
| |
| |
+----[SHA256]-----+
此时,公钥保存在 ~/.ssh/id_rsa.pub 中;私钥保存在~/.ssh/id_rsa中。
- 将刚生成的公钥复制到目标服务器 (私钥在客户端,需要私钥与公钥配对)
ssh-copy-id user@IP#或者,您也可以使用SSH粘贴密钥cat ~/.ssh/id_rsa.pub | ssh user@IP "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys"
-
修改配置文件 (服务器端)
以下操作均修改/etc/ssh/sshd_config文件,(注意:需要配置位置处修改,在文件后面追加不生效)
a) 禁止密码登录,只允许密钥登录(一般只需要修改此项即可)
PasswordAuthentication no
b) 禁止ChallengeResponseAuthentication
ChallengeResponseAuthentication no
c) 开启UsePAM
UsePAM yes
注:如果b和c项都为yes时,a项的配置是无效的。所以b和c项只要设置一项为no就可以,本例中设置b项为no。 -
重启SSH服务
service sshd restart -
xshell ssh私钥登录配置