ssh服务
[toc]
一、ssh禁止root远程登陆
1.编辑文件/etc/ssh/sshd_config
# 禁止root远程登陆
PermitRootLogin no
# 禁用密码验证
PasswordAuthentication no
# 启用密钥验证
RSAAuthentication yes //centos7没有这一项
PubkeyAuthentication yes
2.sudo免密配置等root权限用户
visudo
或者编辑文件/etc/sudoers
# 创建一个用户
useradd lcc
# visudo编辑,101行写入以下内容
lcc ALL=NOPASSWD :ALL
3.配置ssh密钥
# 切换到lcc用户
su - lcc
# 生成密钥
$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/lcc/.ssh/id_rsa):
Created directory '/home/lcc/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/lcc/.ssh/id_rsa.
Your public key has been saved in /home/lcc/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:nSW5jEvQwr8zPZok5CfK+fnrhPJfk2motWOgx1/eNZ4 lcc@experiment
The key's randomart image is:
+---[RSA 2048]----+
| |
| . . . |
| + . o . |
| + + = |
| . S = |
| o.o = o |
| .o=.@ X o |
| ..=oXo@ + o o |
| +o=*Xo. . E |
+----[SHA256]-----+
# 向authorized_keys文件写入公钥
cd .ssh && cat id_rsa.pub >authorized_keys
# 修改authorized_keys文件权限至少为644,默认为664,无法使用密钥登陆
chmod 644 authorized_keys
提示
⚠️ssh服务配置文件/etc/ssh/sshd_config
中有一项配置是AuthorizedKeysFile .ssh/authorized_keys
,如果想要使用私钥免密登陆,则公钥必须写入到文件.ssh/authorized_keys
中,即注册私钥,否则免密会失败!!!