How to set up SSH key authentication in Linux system

SSH (Secure Shell) is an encrypted network protocol that is widely used to safely run network services on insecure networks.

SSH provides encrypted communication and authentication methods, which will make data transmission more secure and reliable.

SSH key authentication is a more secure authentication method and is more recommended than traditional password authentication. In terms of security, SSH key authentication provides a higher level of protection because it is based on an encryption mechanism of public and private keys, effectively reducing the risk of password cracking.

Password authentication is not very secure in many cases because passwords can be guessed, cracked, or even threatened by man-in-the-middle attacks during transmission. This emphasizes the importance of adopting more sophisticated and multi-layered security measures to ensure that users’ identities and data are more effectively protected.

Key authentication is by using a combination of public and private keys, which greatly increases security.

The user's private key is saved locally, while the public key is stored on the remote server. This arrangement increases security because even if an attacker intercepts the public key, it is difficult to reversely deduce the private key. This method provides a more reliable authentication method.

Generate SSH key pair

First of all, you need to make sure that the OpenSSH tool has been installed on your Linux system.

Most Linux distributions usually come with this tool pre-installed. If it is not installed on your system, it can be easily installed through the package manager.

Install OpenSSH using apt on Debian/Ubuntu:

sudo apt update
sudo apt install openssh-client openssh-server

Use yum to install OpenSSH on Red Hat/CentOS:

sudo yum install openssh-clients openssh-server

Use ssh-keygenGenerate key pair

Once OpenSSH is installed, you can generate an SSH key pair using the ssh-keygen command.

The basic usage of the command is as follows:

ssh-keygen -t rsa -b 4096 -C "your_email@example.com"

• -t rsa Specifies the key type to be RSA.
• -b 4096 Specifies the key length to be 4096 bits to improve security.
• -C "your_email@example.com" Add a comment, usually using your email address.

After generating the key pair, you can choose to store it in the default location (~/.ssh/ directory) or choose another location.

The generated key pair includes two files: private key file (id_rsa) and public key file (id_rsa.pub). The private key file is stored locally, while the public key file needs to be copied to the remote server.

Private keys are sensitive information and must be kept properly. The public key is public information used for authentication.

Key storage and management

By default, the generated SSH key pair will be stored in the user's ~/.ssh/ directory. This directory contains two main files: id_rsa (private key) and id_rsa.pub (public key). This setup is to make it easier for users to find and manage keys when using SSH.

However, sometimes for security or organizational reasons, you may want to store the key elsewhere. This can be achieved by specifying the storage path when generating the key pair.

For example:

ssh-keygen -t rsa -b 4096 -f /path/to/your/keys/my_key -C "your_email@example.com"

This will store the private key as /path/to/your/keys/my_key and the public key as /path/to/your/keys/my_key.pub.

SSH Key Agent is a program that can manage SSH private keys and cache the decrypted password of the private key after a login so that subsequent SSH operations do not require re-entering the password.

1. Start SSH agent:

eval "$(ssh-agent -s)"

2. Add the private key to the agent:

ssh-add ~/.ssh/id_rsa

In this way, you do not need to enter the private key password every time you log in via SSH, which improves the convenience and security of use.

In actual use, you may have multiple key pairs for different servers or purposes.

To better manage these key pairs, you can use SSH configuration files or aliases for key files.

Configure SSH server

Log in to the target server

Before you can log in to the target server using SSH key authentication, ensure that the SSH service is enabled on the target server. In most Linux systems, the SSH service is started by default.

ssh username@your_server_ip

Make sure to replace username with your username and your_server_ip with the IP address of the target server. This will attempt to log in using default password authentication.

Manually install the public key

Manually installing a public key is a basic method that involves adding the contents of your public key to the ~/.ssh/authorized_keys file on the target server.

1. Copy the local public key content to the clipboard:

cat ~/.ssh/id_rsa.pub

2. On the target server, use a text editor to open the ~/.ssh/authorized_keys file:

nano ~/.ssh/authorized_keys

3、将剪贴板上的公钥内容粘贴到文件末尾，并保存文件。

4、回到本地机器，尝试使用密钥身份验证登录：

ssh username@your_server_ip

通过ssh-copy-id简化公钥部署

ssh-copy-id 命令可以简化将本地公钥复制到远程服务器的过程。

这个命令会自动处理将公钥添加到目标服务器的 ~/.ssh/authorized_keys 文件中。

ssh-copy-id username@your_server_ip

确保替换 username 为你的用户名，your_server_ip 为目标服务器的 IP 地址。这个命令将提示你输入用户密码，然后将本地公钥复制到目标服务器上。

通过这两种方法，你可以在目标服务器上配置 SSH 密钥身份验证，提高登录的安全性和便利性。

SSH 配置文件详解

~/.ssh/config 文件的作用和结构

~/.ssh/config 文件是一个用于配置 SSH 客户端行为的配置文件。

它允许你为不同的主机设置自定义的配置选项，从而简化 SSH 连接的管理。

创建 ~/.ssh/config 文件：

touch ~/.ssh/config

编辑 ~/.ssh/config 文件：

nano ~/.ssh/config

使用别名、端口号等配置项简化SSH连接

配置文件中可以包含多个主机条目，每个条目定义了连接到远程主机的配置选项。

以下是一个简单的例子：

Host example
HostName your_server_ip
User username
Port 2222
IdentityFile ~/.ssh/id_rsa

• Host：设置别名，用于代替实际的主机名。
• HostName：远程主机的 IP 地址或域名。
• User：连接时使用的用户名。
• Port：SSH 连接的端口号。
• IdentityFile：指定用于身份验证的私钥文件路径。

实际场景中的示例配置文件

以下是一个更为复杂的 ~/.ssh/config 文件，涵盖了多个主机和配置选项：

Host work
HostName work.example.com
User alice
Port 22
IdentityFile ~/.ssh/work_key

Host personal
HostName personal.example.org
User bob
Port 2222
IdentityFile ~/.ssh/personal_key

Host github
HostName github.com
User git
IdentityFile ~/.ssh/github_key

这样，你只需要使用别名就能够轻松连接到相应的主机，而不必记住每个主机的详细信息。

限制和加固SSH访问

禁用密码身份验证

禁用密码身份验证是提高 SSH 安全性的重要步骤之一。

这样，用户只能通过密钥身份验证进行访问，而不再依赖弱密码。

在sshd_config中禁用密码身份验证：

1、打开 sshd_config 文件：

sudo nano /etc/ssh/sshd_config

2、找到并修改以下行：

PasswordAuthentication no

3、保存文件并重新启动 SSH 服务：

sudo service ssh restart

使用sshd_config文件设置访问限制

sshd_config 文件包含了用于配置 SSH 服务器的各种选项。

通过适当配置，你可以限制用户访问、定义允许登录的用户、设置登录时的认证方式等。

一些常用的 sshd_config 选项：

• AllowUsers：指定允许登录的用户列表。
• DenyUsers：指定禁止登录的用户列表。
• AllowGroups：指定允许登录的用户组列表。
• DenyGroups：指定禁止登录的用户组列表。
• PermitRootLogin：禁用或限制 root 用户的远程登录。

示例：

AllowUsers alice bob
DenyUsers mallory
AllowGroups sshusers
DenyGroups badusers
PermitRootLogin no

The above is the detailed content of How to set up SSH key authentication in Linux system. For more information, please follow other related articles on the PHP Chinese website!