大致步骤:在服务器端生成一对密钥,然后公钥保存在服务器用户目录.ssh下的authorized_keys2,是个隐藏的目录。私钥必须将id_dsa下载到客户端,然后通过puttygen.exe生成.ppk文件。当用户登录时,服务器会根据公钥来比较私钥,如果相符就允许登陆,否则拒绝。私钥只保存在客户端中,及时有人知道root密码,没有私钥也不能远程登录到服务器上。
CentOS 5.4 ssh key 配置:
1. Server:
1).shell# vi /etc/ssh/sshd_config 修改以下配置:
Port 20000
Protocol 2
PasswordAuthentication no
2).#为了安全起见,ssh key方式用普通用户登录,例如smallfish
[smallfish@tingso ~]$ ssh-keygen -t dsa
Generating public/private dsa key pair.
Enter file in which to save the key (/home/smallfish/.ssh/id_dsa):
Created directory '/home/smallfish/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/smallfish/.ssh/id_dsa.
Your public key has been saved in /home/smallfish/.ssh/id_dsa.pub.
The key fingerprint is:
68:e2:be:31:5a:d0:3c:0f:6d:48:31:69:13:9c:58:f3 smallfish@tingso.com
3).shell$ chmmod o+x /home/smallfish
[smallfish@tingso .ssh]$ ls
id_dsa id_dsa.pub
4).mv id_dsa.pub authorized_keys2
5).download id_dsa to windows #一般为了方便下载到putty目录下,用于生成ppk文件
6).shell# service sshd restart
2. Client:
#生成ppk文件
1).open puttygen.exe--Conversions--import key--id_dsa--Enter passpharase for key--Save private key--保存为*.ppk(例如server.ppk)
#启动客户端测试
2).open putty.exe--Category-SSH-Auth-Private key file for authentication #导入ppk文件
#输入之前在server上设定的passphrase登录【LINUX公社 www.LinuxIDC.com 】
3).login as: smallfish
Authenticating with public key "imported-openssh-key"
Passphrase for key "imported-openssh-key":
Ok, 配置完成。
问题:
1.客户端用key登陆的时候提示:
Disconnected: No supported authentication methods available
解决:是由于在客户端puttygen生成ppk文件的时候重新用了Generate命令,直接导入id_dsa文件然后save private key即可。