CentOS8中如何设置SSH密钥

在我们平时使用Linux系统时候，通常使用的Linux SSH登录方式是用户名加密码的登录方式，今天来探讨另外的一种相对安全的登录方式——密钥登录。

环境

客户端：CentOS8 192.168.43.137

服务端：CentOS8 192.168.43.139

创建SSH公私钥

通过输入以下命令，生成新的4096位的SSH密钥对：

[root@localhost&nbsp;~]<span style="color: #57a64a;font-style: italic;line-height: 26px">#&nbsp;ssh-keygen&nbsp;-t&nbsp;rsa&nbsp;-b&nbsp;4096</span>

Generating&nbsp;public/private&nbsp;rsa&nbsp;key&nbsp;pair.

Enter&nbsp;file&nbsp;<span style="color: #569cd6;line-height: 26px">in</span>&nbsp;<span style="color: #4ec9b0;line-height: 26px">which</span>&nbsp;to&nbsp;save&nbsp;the&nbsp;key&nbsp;(/root/.ssh/id_rsa):

Enter&nbsp;passphrase&nbsp;(empty&nbsp;<span style="color: #569cd6;line-height: 26px">for</span>&nbsp;no&nbsp;passphrase):

Enter&nbsp;same&nbsp;passphrase&nbsp;again:

Your&nbsp;identification&nbsp;has&nbsp;been&nbsp;saved&nbsp;<span style="color: #569cd6;line-height: 26px">in</span>&nbsp;/root/.ssh/id_rsa.

Your&nbsp;public&nbsp;key&nbsp;has&nbsp;been&nbsp;saved&nbsp;<span style="color: #569cd6;line-height: 26px">in</span>&nbsp;/root/.ssh/id_rsa.pub.

The&nbsp;key&nbsp;fingerprint&nbsp;is:

SHA256:ycOtSDK8ud2kd6EH7OxoQuc1BFb1HJ3T/kvAQJt0LrI&nbsp;root@localhost.localdomain

The&nbsp;key<span style="color: #d69d85;line-height: 26px">'s&nbsp;randomart&nbsp;image&nbsp;is: +---[RSA&nbsp;4096]----+ |&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;...oo.o&nbsp;o&nbsp;| |&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;o&nbsp;&nbsp;&nbsp;.+=.+&nbsp;.| |&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;.&nbsp;.&nbsp;.&nbsp;+=.&nbsp;o&nbsp;| |&nbsp;&nbsp;&nbsp;.&nbsp;&nbsp;&nbsp;o.oo&nbsp;.o&nbsp;&nbsp;.| |&nbsp;&nbsp;&nbsp;&nbsp;+&nbsp;.oSE.&nbsp;&nbsp;&nbsp;.&nbsp;.| |&nbsp;&nbsp;&nbsp;&nbsp;.*..=o.&nbsp;&nbsp;&nbsp;&nbsp;..| |&nbsp;&nbsp;&nbsp;.oo.+o+&nbsp;.&nbsp;&nbsp;.&nbsp;.| |&nbsp;&nbsp;&nbsp;&nbsp;.oo==&nbsp;o&nbsp;&nbsp;&nbsp;&nbsp;.&nbsp;| |&nbsp;&nbsp;&nbsp;&nbsp;.o+ooo&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;| +----[SHA256]-----+ </span>

想要验证是否生成了新的SSH密钥对，使用ls -l命令查看~/.ssh目录是否有刚才生成的文件：

[root@localhost&nbsp;~]<span style="color: #57a64a;font-style: italic;line-height: 26px">#&nbsp;ll&nbsp;~/.ssh/</span>

total&nbsp;8

-rw-------&nbsp;1&nbsp;root&nbsp;root&nbsp;3389&nbsp;May&nbsp;13&nbsp;08:26&nbsp;id_rsa

-rw-r--r--&nbsp;1&nbsp;root&nbsp;root&nbsp;&nbsp;752&nbsp;May&nbsp;13&nbsp;08:26&nbsp;id_rsa.pub

将公钥复制到远程服务器，使用ssh-copy-id实用程序，输入远程服务器的root密码：

[root@localhost&nbsp;~]<span style="color: #57a64a;font-style: italic;line-height: 26px">#&nbsp;ssh-copy-id&nbsp;root@192.168.43.139</span>

/usr/bin/ssh-copy-id:&nbsp;INFO:&nbsp;Source&nbsp;of&nbsp;key(s)&nbsp;to&nbsp;be&nbsp;installed:&nbsp;<span style="color: #d69d85;line-height: 26px">"/root/.ssh/id_rsa.pub"</span>

The&nbsp;authenticity&nbsp;of&nbsp;host&nbsp;<span style="color: #d69d85;line-height: 26px">'192.168.43.139&nbsp;(192.168.43.139)'</span>&nbsp;can<span style="color: #d69d85;line-height: 26px">'t&nbsp;be&nbsp;established. ECDSA&nbsp;key&nbsp;fingerprint&nbsp;is&nbsp;SHA256:7O1oIOooh4NZG87aC3v1Zz/vcTXkjOhQBnlkY0CD4y0. Are&nbsp;you&nbsp;sure&nbsp;you&nbsp;want&nbsp;to&nbsp;continue&nbsp;connecting&nbsp;(yes/no)?&nbsp;yes /usr/bin/ssh-copy-id:&nbsp;INFO:&nbsp;attempting&nbsp;to&nbsp;log&nbsp;in&nbsp;with&nbsp;the&nbsp;new&nbsp;key(s),&nbsp;to&nbsp;filter&nbsp;out&nbsp;any&nbsp;that&nbsp;are&nbsp;already&nbsp;installed /usr/bin/ssh-copy-id:&nbsp;INFO:&nbsp;1&nbsp;key(s)&nbsp;remain&nbsp;to&nbsp;be&nbsp;installed&nbsp;--&nbsp;if&nbsp;you&nbsp;are&nbsp;prompted&nbsp;now&nbsp;it&nbsp;is&nbsp;to&nbsp;install&nbsp;the&nbsp;new&nbsp;keys Password: Number&nbsp;of&nbsp;key(s)&nbsp;added:&nbsp;1 Now&nbsp;try&nbsp;logging&nbsp;into&nbsp;the&nbsp;machine,&nbsp;with:&nbsp;&nbsp;&nbsp;"ssh&nbsp;'</span>root@192.168.43.139<span style="color: #d69d85;line-height: 26px">'" and&nbsp;check&nbsp;to&nbsp;make&nbsp;sure&nbsp;that&nbsp;only&nbsp;the&nbsp;key(s)&nbsp;you&nbsp;wanted&nbsp;were&nbsp;added. </span>

也可以使用以下命令复制公钥：

[root@localhost&nbsp;.ssh]<span style="color: #57a64a;font-style: italic;line-height: 26px">#&nbsp;cat&nbsp;~/.ssh/id_rsa.pub&nbsp;|&nbsp;ssh&nbsp;root@192.168.43.139&nbsp;"mkdir&nbsp;-p&nbsp;~/.ssh&nbsp;&amp;&amp;&nbsp;chmod&nbsp;700&nbsp;~/.ssh&nbsp;&amp;&amp;&nbsp;cat&nbsp;&gt;&gt;&nbsp;~/.ssh/authorized_keys&nbsp;&amp;&amp;&nbsp;chmod&nbsp;600&nbsp;~/.ssh/authorized_keys"</span>

使用密钥登录服务器

使用以下命令登录ssh服务器：

[root@localhost&nbsp;~]<span style="color: #57a64a;font-style: italic;line-height: 26px">#&nbsp;ssh&nbsp;192.168.43.139</span>

Last&nbsp;login:&nbsp;Tue&nbsp;May&nbsp;12&nbsp;12:33:41&nbsp;2020&nbsp;from&nbsp;192.168.43.137

关闭密码认证

登录服务器端，关闭密码认证：

[root@localhost&nbsp;~]<span style="color: #57a64a;font-style: italic;line-height: 26px">#&nbsp;ssh&nbsp;192.168.43.139</span>

Last&nbsp;login:&nbsp;Tue&nbsp;May&nbsp;12&nbsp;12:33:41&nbsp;2020&nbsp;from&nbsp;192.168.43.137

[root@localhost&nbsp;~]<span style="color: #57a64a;font-style: italic;line-height: 26px">#&nbsp;vim&nbsp;/etc/ssh/sshd_config</span>

搜索一下三条，将选项改为No

PasswordAuthentication&nbsp;no

ChallengeResponseAuthentication&nbsp;no

UsePAM&nbsp;no

重启sshd服务：

[root@localhost&nbsp;~]<span style="color: #57a64a;font-style: italic;line-height: 26px">#&nbsp;systemctl&nbsp;restart&nbsp;sshd</span>

总结

可以使用同一密钥管理多个远程服务器。默认情况下，SSH的端口是TCP 22。更改默认SSH端口可降低自动攻击的风险。