There are three ways of ssh remote login authentication: Password, Keyboard Interactive and Public Key.
The first two methods are password authentication, but the first method does not require delivery, while the second method requires interaction. The first method is generally used because compared to the second method, the first method can log in with one click as long as the username and password are set in advance in the ssh terminal. The third method of public key authentication is the safest login method because the authentication information does not need to be transmitted on the Internet, and this is also the default method used by cloud servers.
The following are the specific setup steps.
Log in to the target Linux server as the root user and enter the command to generate the public and private keys as follows:
ssh-keygen -t rsa
Note: Here, the command is used to generate the public and private keys on the target Linux server, but this step does not have to be generated on the target server. You can also generate the public and private keys separately, and then upload the public key to the target server (if there are a large number of servers that need to be uniformly configured with public key login, this method is the most suitable), for example, generate the public and private keys in the client system, and then use the command:
ssh-copy-id username@ip_address
Upload the public key to the authorized_keys file of the target host of the target server. Of course, you can also use a third-party tool to generate public and private keys. You can choose the method that suits you.
File permission settings:
cd /root/.ssh ls
You can see the RSA public key and private key that have been generated:
Set permissions for the key folder and the corresponding public and private key files respectively:
chmod 700 /root/.ssh/ chmod 600 ~/.ssh/id_rsa chmod 644 ~/.ssh/id_rsa.pub
Add the public key to the ~/.ssh/authorized_keys file:
cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys
Modify the configuration file of the sshd service to enable public key authentication:
vim /etc/ssh/sshd_config -------------------------- PubkeyAuthentication yes //Remove # and change it to yes. In fact, if it has not been modified, this is the system default configuration
If you need to configure the root user's ssh public key login, you also need to do the following configuration:
vim /etc/ssh/ssh_config ---------------------------- #PermitRootLogin prohibit-password //Remove #
After modifying the configuration file, remember to restart the ssh service:
systemctl restart ssh
Finally, download the private key file ~/.ssh/id_rsa and import it into the corresponding ssh client that needs to log in to the target Linux server (or the /.ssh folder in the user's home directory).
Note 1: Essentially, each SSH client uploads its own RSA public key to the authorized_keys file (whitelist) on the target Linux server. Then, during login, the target Linux server uses the public keys in the whitelist to verify the identity of each SSH client.
Note 2: The `ssh-copy-id username@ip_address` used in this article usually works correctly when only a single SSH public key exists locally. However, in real-world production environments, multiple public-private key pairs are often maintained locally. If the key file is not explicitly specified, `ssh-copy-id` may select an unexpected public key and write it to the target host, leading to authentication failure or the inability to achieve the expected passwordless login. Therefore, it is recommended to explicitly specify the target public key file using the `-i` parameter to ensure the correct deployment of the corresponding key and avoid login problems caused by inconsistent key selection.