0. Overview
In Server Security Series, I emphasized that if you want to log in with the root account, it is strongly recommended to use a key instead of a password. This has the advantage that the risk of password cracking can be avoided, and all IPs with wrong passwords can be banned, because I do not use passwords to log in at all.
1. Generate a key pair
implement:
1 | # Make sure the .ssh directory exists mkdir ~/.ssh # Create a new key pair ssh-keygen -t rsa |
Among them, rsa is the key encryption algorithm, which supports dsa, ecdsa, ecdsa-sk, ed25519, ed25519-sk, rsa.
Pagoda recommends using ED25519, but I suggest that no matter which one you use, you must regenerate at least one RSA key, because many platforms do not support non-RSA keys, For example, Pagoda's own Baota Cloud Control Platform.
You need to enter the key storage location and password:
1 | $ ssh-keygen -t rsa Generating public/private rsa key pair. Enter file in which to save the key (/root/.ssh/id_rsa):~/.ssh/id_rsa_2 Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /root/.ssh/id_rsa_2 Your public key has been saved in /root/.ssh/id_rsa_2.pub The key fingerprint is: SHA256:2wxQFK0Y0AIfjUelIejxNNMV3Eco+oxjLg4 root@MyDemoServer The key's randomart image is: +---[RSA 3072]----+ | o...oo. | | . . o+.o.. | |o oo++..| |o.. *.=.. | |.+O =++S| |+.+ =++o.= | |+E.o==o.o| | o... | | +++ | +----[SHA256]-----+ |
The default is /root/.ssh/id_rsa and /root/.ssh/id_rsa.pub, if it already exists, it will prompt:
1 | /root/.ssh/id_rsa already exists. Overwrite (y/n)? |
At this time, overwriting is not recommended, otherwise existing services may be affected. You should enter n to exit, and then change the file name, such as /root/.ssh/id_rsa_2.
Leave it blank to indicate that there is no password, otherwise, you need to enter the set password again every time you use the key to log in.
After completion, you can see two files under /root/.ssh/, one is the private key, and the one with .pub suffix is the public key.
Assuming the public key is /root/.ssh/id_rsa.pub, then use:
1 | # Make sure authorized_keys exists touch /root/.ssh/authorized_keys # Append to the end of the file cat /root/.ssh/id_rsa.pub >> /root/.ssh/authorized_keys |
Then download id_rsa, you can log in with this key.
Generate SSH Key Pair
Comments