服务器环境:CentOS7.2
一、生成ssh证书(本文在服务器端生成证书,此步骤可在任意一台拥有ssh-keygen命令的机器上生成)
登入输入ssh-keygen -t rsa,系统将自动生成相应的证书,过程如下
#ssh-keygen -t rsa
Generating public/private rsa key pair. Enter file in which to save the key (/root/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /root/.ssh/id_rsa. Your public key has been saved in /root/.ssh/id_rsa.pub. The key fingerprint is: 69:cb:a2:53:2f:dc:ad:51:c9:dd:9d:8d:5a:6a:ea:48 root@all The key's randomart image is: +--[ RSA 2048]----+ | | | | | | | o o . oo| | S + . +.o| | .o o + | | o.oE. + | | ..oooo.o | | .. .ooo | +-----------------+在此过程中,系统将提示你id_rsa文件的存储路径,直接回车将保存在默认路径下,之后再输入证书密码,然后再重复输入一次,即可生成SSH需要的证书文件
二、服务器配置
编辑/etc/ssh/sshd_config文件,开启证书登录模式,并禁止用户名和密码登录方式
#vi /etc/ssh/sshd_config
RSAAuthentication yes PubkeyAuthentication yes ... PasswordAuthentication no
假设需要登录的用户为root,其根目录为/root,建立目录/root/.ssh,复制之前生成的id_rsa.pub文件(公钥)到此目录下,更名为authorized_keys。
此文件在/etc/ssh/sshd_config文件中进行定义,我们可以自行更改
AuthorizedKeysFile .ssh/authorized_keys证书更改完毕,需要重启sshd服务
#systemctl restart sshd
三、客户端配置证书
将之前生成的id_rsa文件保存到客户端,作为私钥文件配置在客户端中,即可连接服务器。