配置ssh证书认证,取消密码验证
...大约 1 分钟
服务器:Centos 7.5
创建一个用户,不指定密码,一切默认,也可以自定义
[root@localhost ~]# useradd user
创建证书
[root@localhost ~]# ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): /root/.ssh/user
Created directory '/root/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/user.
Your public key has been saved in /root/.ssh/user.pub.
The key fingerprint is:
SHA256:dptzFawDGN68+q2x2gNy52Nkc4L7hO05VKoL8uqFUtQ root@localhost.local
The key's randomart image is:
+---[RSA 2048]----+
| . |
| . . = . |
| . E o + o |
| . o.. . |
| . S.ooo . |
| . ...+=Oo.o |
| . o oooXB+. |
| . + .o=*B |
| .o.. o=O=. |
+----[SHA256]-----+
[root@localhost ~]#
-t rsa 可以不指定
查看生成证书的文件
[root@localhost ~]# ll .ssh/
total 8
-rw-------. 1 root root 1679 Sep 23 05:23 user
-rw-r--r--. 1 root root 402 Sep 23 05:23 user.pub
把公钥导入认证文件,并修改权限
[root@localhost ~]# cd .ssh/
[root@localhost .ssh]# cat user.pub >authorized_keys
[root@localhost .ssh]# chmod 0600 authorized_keys
文件和目录的最终权限
drwx------. 2 root root 48 Sep 23 05:08 .ssh
-rw-------. 1 root root 401 Sep 23 05:04 authorized_keys
复制认证文件到user 用户的目录,如果想对其他用户也做证书认证可以复制此步骤。
cp -ra /root/.ssh /home/user/
chown -R user.user /home/user/.ssh
修改ssh 配置文件
[root@localhost ~]# vim /etc/ssh/sshd_config
PubkeyAuthentication yes
PermitRootLogin no
PasswordAuthentication no
如果想同时开启 root,证书,密码有三种,则三个值都为yes
如果想同时开启密码,证书两种,则PermitRootLogin 为no
如果只想要证书登录 ,则只需要PubkeyAuthentication yes,其他两个为no
RSAAuthentication yes 则看证书类型决定要不要开,在这个案例中没有开
复制私钥(user)到客户端
连接,添加证书,实例是key 用户
确定就可以登录了
Powered by Waline v3.1.3