机翻出处: https://www.digitalocean.com/community/tutorials/how-to-set-up-ssh-keys--2
About SSH Keys
使用SSH密钥提供更安全的登录虚拟专用服务器的方法,而不是单独使用密码。
一个密码最终可能会被暴力攻击破解,但SSH密钥几乎不可能通过暴力来破译。
生成密钥对为您提供两个长字符串:公共和私钥。 您可以将公钥放在任何服务器上,然后通过与已经具有私钥的客户端连接来解锁它。 当两者匹配时,系统解锁而不需要密码。
您可以通过用密码保护私钥来提高安全性。
Step One—Create the RSA Key Pair
生成密钥对:
Step Two—Store the Keys and Passphrase
输入步骤一的命令后会出现如下提示:
Enter file in which to save the key (/home/demo/.ssh/id_rsa):
您可以按Enter键,将文件保存到家目录(此处示例用户为demo
)
Enter passphrase (empty for no passphrase):
是否要使用密码? 输入密码确实有其优点:密钥的安全性,无论加密如何,仍然取决于其他人不可见的事实。 如果通过密码保护的私钥属于未经授权的用户拥有,则他们将无法登录到其相关帐户,直到找出密码,为黑客用户购买一些额外的时间。 当然,使用密码短语的唯一缺点是,每次使用密钥对时都必须输入密码。
整个关键生成过程如下所示:
ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/demo/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/demo/.ssh/id_rsa.
Your public key has been saved in /home/demo/.ssh/id_rsa.pub.
The key fingerprint is:
4a:dd:0a:c6:35:4e:3f:ed:27:38:8c:74:44:4d:93:67 demo@a
The key's randomart image is:
+--[ RSA 2048]----+
| .oo. |
| . o.E |
| + . o |
| . = = . |
| = S = . |
| o + = + |
| . o + o . |
| . o |
| |
+-----------------+
公钥现在位于:/home/demo/.ssh/id_rsa.pub
私钥现在位于:/home/demo/.ssh/id_rsa
Step Three—Copy the Public Key
Once the key pair is generated, it's time to place the public key on the virtual server that we want to use.
You can copy the public key into the new machine's authorized_keys file with the ssh-copy-id command. Make sure to replace the example username and IP address below.
ssh-copy-id user@123.45.56.78
``
Alternatively, you can paste in the keys using SSH:
cat ~/.ssh/id_rsa.pub | ssh user@123.45.56.78 "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys"
No matter which command you chose, you should see something like:
The authenticity of host '12.34.56.78 (12.34.56.78)' can't be established.
RSA key fingerprint is b1:2d:33:67:ce:35:4d:5f:f3:a8:cd:c0:c4:48:86:12.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '12.34.56.78' (RSA) to the list of known hosts.
user@12.34.56.78's password:
Now try logging into the machine, with "ssh 'user@12.34.56.78'", and check in:
~/.ssh/authorized_keys
to make sure we haven't added extra keys that you weren't expecting.
Now you can go ahead and log into user@12.34.56.78 and you will not be prompted for a password. However, if you set a passphrase, you will be asked to enter the passphrase at that time (and whenever else you log in in the future).
Optional Step Four—Disable the Password for Root Login
Once you have copied your SSH keys unto your server and ensured that you can log in with the SSH keys alone, you can go ahead and restrict the root login to only be permitted via SSH keys.
In order to do this, open up the SSH config file:
sudo nano /etc/ssh/sshd_config
Within that file, find the line that includes PermitRootLogin and modify it to ensure that users can only connect with their SSH key:
PermitRootLogin without-password
Put the changes into effect:
Digital Ocean Addendum
The Digital Ocean control panel allows you to add public keys to your new droplets when they're created. You can generate the SSH Key in a convenient location, such as the computer, and then upload the public key to the SSH key section.
Then, when you create a new VPS, you can choose to include that public key on the server. No root password will be emailed to you and you can log in to your new virtual private server from your chosen client. If you created a passphrase, you will be prompted to enter that upon login.