Ubuntu 通过数字证书免密登录SSH
通过ssh-keygen命令生成证书,如果没有此命令可能需要安装OpenSSH
apt-get update
apt-get install openssh-client
root@localhost:~# ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa
Your public key has been saved in /root/.ssh/id_rsa.pub
The key fingerprint is:
SHA256:tJvcbbbJkbThkvm5hwsZI20 root@localhost
The key's randomart image is:
+---[RSA 3072]----+
|o +\*=+ .+=+o \|
| o==+=oo.Eo \* \|
| o\* o.O =O. \|
| \* O \* oo. \|
| . + S . o \|
| . |
| |
| |
| |
+----[SHA256]-----+
root@localhost:~/.ssh# ls
total 20K
-rw------- 1 root root 0 Oct 5 2024 authorized_keys
-rw------- 1 root root 2.6K Jul 23 21:44 id_rsa
-rw-r--r-- 1 root root 567 Jul 23 21:44 id_rsa.pub
#可以查看到home目录下的.ssh目录里生成的id_rsa.pub公钥文件和id_rsa秘钥文件,特别需要注意,id_rsa私钥文件要保存好千万不要泄露。
2. 把id_rsa.pub公钥复制或改名为authorized_keys并设置权限chmod 600 authorized_keys
3. 把id_rsa秘钥文件复制到客户端
4. 如果需要使用putty进行连接需要使用puttygen工具,把id_rsa秘钥文件转换成ppk格式
在puttygen程序窗口菜单 Conversions下,点Import key导入id_rsa秘钥文件
或
通过菜单File下的Load private key载入id_rsa秘钥文件
然后点右下方或File菜单下的Save private key保存为ppk格式
5. 服务器端编辑vi或nano /etc/ssh/sshd_config文件,注意以下两项配置并保存
PermitEmptyPasswords no
PermitRootLogin yes
RSAAuthentication yes
#注意加入本行配置
PubkeyAuthentication yes
PubkeyAcceptedKeyTypes +ssh-rsa
AuthorizedKeysFile .ssh/authorized_keys
#TrustedUserCAKeys /etc/ssh/RSA-PUB-KEY
#在确认证书登陆正常前先允许密码登陆,测试成功后改成no
PasswordAuthentication yes
#PasswordAuthentication no
#StrictModes no
MaxAuthTries 3
#ChallengeResponseAuthentication no
#UsePAM no
- 配置完成后systemctl restart ssh.service重启一下SSH服务,到此配置工作完成。
- 在putty的Connection下的Auth找到Credentials,在Private key file for authentication处填写ppk私钥文件和路径,也可以通过Browse按钮进行文件选择。
- 完成后点Open按钮就可以通过证书免密登陆服务器。