Linux Change password login method To log in safely with Key key to avoid password cracking by brute force

First make sure your system has openssl installed

 

openssl -V

 

# Under normal circumstances, a large number of content will be returned. If it prompts -bash: openssl: command not found, it means that it is not installed. Use the following command to install:

# CentOS system:

yum install openssl -y

 

# Debian/Ubuntu system

apt-get install openssl -y

Generate key pair

When we execute the following command, the ssh key pair (private key + public key) will be generated, which is generated according to the following prompts.

 

ssh-keygen

Generating public/private rsa key pair.

 

Enter file in which to save the key (/root/.ssh/id_rsa):

# Enter the location of the key file to be saved, and press Enter directly.

 

Created directory'/root/.ssh'.

 

Enter passphrase (empty for no passphrase):

# Enter the password of the key, you can directly enter and leave it blank, or you can enter the password to further enhance security (key + password double insurance)

Enter same passphrase again:

# Repeat the key password

 

Your identification has been saved in /root/.ssh/id_rsa.

# Your private key location /root/.ssh/id_rsa

Your public key has been saved in /root/.ssh/id_rsa.pub.

# Your public key location /root/.ssh/id_rsa.pub

 

The key fingerprint is:

7c:25:bd:54:f5:fc:60:c0:86:c1:a0:32:7d:8a:80:c4 root@debian

The key's randomart image is:

+--[ RSA 2048]----+

| .o.+..o..|

| o.. o o + o.|

|. E o.. .O + o|

|. + + o o o.|

|.. S.. .|

|. |

|. |

| |

| |

+-----------------+

Configure server public key

After generating the key pair, we need to configure it on the server before it can be used:

 

Configure public key

cd .ssh

# Enter the .ssh directory

 

ls -a

#. .. id_rsa id_rsa.pub

# View the public key (id_rsa.pub) and private key (id_rsa) under the current folder (/root/.ssh/)

 

mv id_rsa.pub authorized_keys

# Rename the public key (id_rsa.pub)

 

ls -a

#. .. authorized_keys id_rsa

# Check again if the public key under the current folder (/root/.ssh/) is successfully renamed

 

chmod 600 authorized_keys

chmod 700 ~/.ssh

# Then modify the permissions of the key file to avoid being modified/deleted by other users.

# chmod 600-Only the owner has read and write permissions.

# chmod 700-Only the owner has read, write, and execute permissions.

Configure SSH

Then we need to configure SSH, and we need to enable the Key key login option (usually it is enabled by default)

 

vi /etc/ssh/sshd_config

Open the configuration file and find the following parameters:

 

RSAAuthentication yes

PubkeyAuthentication yes

# yes means open key login

Generally, yes is turned on by default, if not, then change to yes.

 

Then restart SSH:

 

/etc/init.d/ssh restart

# If this prompt does not find the service, then try /etc/init.d/sshd restart

# CentOS7 then use: systemctl restart sshd

Configure client private key

After the server is configured, we also need to configure the SSH connection client.

 

Retrieve the private key locally

cat /root/.ssh/id_rsa

# If the private key generation location is different, change it yourself

First, we read the id_rsa key file, and then a large number of keys will be output on the screen. We create a new text file on the local computer, and copy the key on the screen and write it into the file. The file is named id_rsa ( The name is arbitrary, but the key file must be saved!).

 

# The key file is like this

 

-----BEGIN RSA PRIVATE KEY-----

Proc-Type: 4,ENCRYPTED

DEK-Info: AES-128-CBC,EA47822BC49A9E56338A99D07084DA38

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

...

...

-----END RSA PRIVATE KEY-----

SSH connection tool can import the private key connection

 

Xshell import private key

First, open the properties of the current session-connection-user authentication.

 

Select Public Key as the user authentication method, and then we click the Browse button.

 

 

 

In the user key management window, click the Import button and select the private key file id_rsa we just retrieved.

 

After selection, you will be asked to enter the private key password. If you set the password when generating the key pair above, then enter the password, otherwise leave it blank. Then click the OK button to continue.

 

 

 

 

 

Select the user key you just added and click the OK button. (For better identification, you can rename the name to avoid confusion about which server the key belongs to)

 

 

 

At this time, we return to the user authentication setting window, we fill in the user name: root, password: the password of the user key, and click the OK button.

 

 

 

Then we can disconnect the server connection, and then try to reconnect to the server (connect with the key). If something goes wrong, it's okay. We haven't closed the password login yet. You can also log in with the password to troubleshoot.

 

If it is determined that the Key can be used to log in normally, then we need to turn off the password login method.

 

Turn off password login

We open the SSH configuration file and find the following parameter.

 

vi /etc/ssh/sshd_config

 

# By default this parameter option is no, if not, change to no, if there is a comment character # in front of it, then remove #

PasswordAuthentication no

Finally restart SSH:

 

/etc/init.d/ssh restart

# If this prompt does not find the service, then try /etc/init.d/sshd restart

other instructions

Multiple servers share the same key

When you have many servers, but you don't want to generate a separate key for each server, then you can share a key for multiple servers.

 

The public key location is also the same as the above tutorial. Assuming that we are a ROOT user, then create a new .ssh directory under the /root directory:

 

mkdir /root/.ssh

Then upload one of your public keys (authorized_keys) to the /root/.ssh directory of other servers via FTP/SFTP

 

Or write to the /root/.ssh directory of other servers by reading and writing

 

cat authorized_keys

# Read the content of your public key file on the server, if you can directly open the copied content locally

 

echo -e "xxxx"> /root/.ssh/authorized_keys

# Then change the xxxx of the above code to the content of the public key file you copied, and then use the above command to write it into the /root/.ssh/authorized_keys file.

Was this answer helpful? 2 Users Found This Useful (2 Votes)