SSH基于公钥认证登录

1. 原理:

首先由用户生成一对密钥，然后将公钥保存在SSH服务器用户的目录下.ssh子目录中的authorized_key文件里(/root/.ssh/authorized_key).私钥保存在本地计算机.当用户登陆时,服务器检查authorized_key文件的公钥是否与用户的私钥对应,如果相符则允许登入,否则拒绝.由于私钥只有保存在用户的本地计算机中,因此入侵者就算得到用户口令,也不能登陆到服务器.

2. 使用ssh-keygen生成密钥对

    ssh-keygen -t rsa  #之后请求输入密码回车即可

        [root@localhost ~]# ssh-keygen -t rsa
            Generating public/private rsa key pair.
            Enter file in which to save the key (/root/.ssh/id_rsa): 
            Created directory '/root/.ssh'.
            Enter passphrase (empty for no passphrase): 
            Enter same passphrase again: 
            Your identification has been saved in /root/.ssh/id_rsa.
            Your public key has been saved in /root/.ssh/id_rsa.pub.
            The key fingerprint is:
            80:ed:2f:c9:6b:bc:41:26:60:bb:09:56:65:15:2a:6a root@localhost

私钥在 /root/.ssh/id_rsa
公钥在 /root/.ssh/id_rsa.pub

3、将/root/.ssh/id_rsa.pub改名为/root/.ssh/authorized_keys

#mv /root/.ssh/id_rsa.pub /root/.ssh/authorized_keys

4、将私钥id_rsa拷贝到需要登录的linux客户机即可,两种方式

     A:linux下可以拷贝到/root/.ssh/就可以直接使用了。 
     B :  ssh-copy-id -i . ~/.ssh/id-rsa.pub USRNAME@IPADDRESS

window用户下使用SSH客户端选择pulic_key方式登录即可

5. 远程服务器启用公钥认证，去掉密钥登录,可省略,但要先保证公钥能够登陆的情况下,才关掉

修改配置文件/etc/ssh/sshd_config将”PasswordAuthentication yes”修改为”PasswordAuthentication no”
需要重启sshd服务

#service sshd restart