Summary

SSH Key分公钥和私钥, 私钥请自己妥善保管, 不要外泄。
另外采用ssh public key authentication是提升服务器安全与快捷措施之一。

Generate ssh key

以github为例使用ssh-keygen生成相对应的key

1
2
3
4
5
6
7
8
9
10
11
12
13
14
# please make sure .ssh folder is exist
cd ~/
mkdir .ssh
cd /.ssh

# use ssh-keygen generate key
# if you want sign key name please add -f parameter, default is id_rsa
ssh-keygen -t rsa -b 4096 -C "[email protected]"
Generating public/private rsa key pair.
Enter file in which to save the key (/home/git/.ssh/id_rsa):

# please input your password for private key, default is empty
Enter passphrase (empty for no passphrase):
Enter same passphrase again:

Configure public key to Server

上传公钥到server有很多种方式了, 推荐使用ssh-copy-id

  • ssh-copy-id -i ~/.ssh/id_rsa.pub git@ip -p xx

有可能会遇到一些问题比如说: Permission denied (publickey). 或者bash: ssh-copy-id: command not found

If it’s permission problem, please check current user whether has execute privilege to .ssh folder

Else if you use windows command line, maybe you didn’t install this tiny script, please execute the below script:

Maybe is works, good luck for you!

1
2
GET_ID="cat ${ID_FILE}"
{ eval "$GET_ID" ; } | ssh ${1%:} "umask 077; test -d .ssh || mkdir .ssh ; cat >> .ssh/authorized_keys" || exit 1
  • scp ~/.ssh/ ~/.ssh/id_rsa.pub -p xx user@ip:

Attention please :, then login server execute:

1
2
3
cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys
rm ~/.ssh/id_rsa.pub
chmod 600 ~/.ssh/authorized_keys

Keep safe authorized_keys

为了保证安全,您应该阻止其他用户添加新的公钥。
将 authorized_keys 的权限设置为对拥有者只读,其他用户没有任何权限:

1
chmod 400 ~/.ssh/authorized_keys

Disable password authentication

采用公钥登录server后, 最好禁用密码登录.

1
2
3
4
5
6
7
8
9
vim /etc/ssh/sshd_config
# set PasswordAuthentication value is no
RSAAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
PasswordAuthentication no
ChallengeResponseAuthentication no

# restart sshd service
service sshd restart

How to use in the tool

  • 使用 alias
1
2
$ cat ~/.bash_profile
alias ssh vps-gce ='ssh [email protected]'
  • 在 ssh client端import public key,这个就比较简单了。常用的客户端比如Putty, SecureCRT, XShell, Mobile client推荐JuiceSSH