- The original address
SSH clients such as PuTTY are used to remotely manage Linux servers. However, the password is easy to be cracked by brute force. Therefore, we usually set the SSH port to a port other than the default 22, or disable root login. In fact, there is a better way to ensure security, and you can safely log in to —— remotely as root: by using a key.
The principle of key-form login is as follows: Use the key generator to create a pair of keys —— a public key and a private key. Add the public key to an account on the server, and use the private key on the client to complete authentication and login. This way, without a private key, no one can use SSH to brute force your password to log in remotely. In addition, if you copy the public key to another account or even the host, you can log in using the private key.
This method can also be used to pull git code. How do I configure the public key in coding
1. Create a key on the server
Here’s how to make a key pair on a Linux server, add the public key to the account, set up SSH, and log in through a client.
1) Make a key pair
Start by making the key pair on the server. First log in with your password to the account you intend to log in with your key, then execute the following command:
A system with a higher Centos version needs to use a longer key. Userauth-request for user liexiang service ssh-connection method None [preauth] It is possible that a matching method could not be found. The insecure key is no longer supported
#Annotate the public/private RSA key with the given email
#You need to configure.ssh/config
cd ~/
ssh-keygen
# or
ssh-keygen -t rsa -b 4096 -C "[email protected]"
Copy the code
The keylock code must be entered when using the private key to protect the private key from theft. Of course, you can also leave it blank to achieve passwordless login.
A file with two keys is now generated in the specified directory. Id_rsa is the private key, and id_rsa.pub is the public key.
2) Install the public key on the server
(Recommended) Method 1: Usessh-copy-id
Command to install
The public key is copied to the remote machine and the permission key is automatically configured
$ ssh-copy-id -i {dir-of-keys}/rsa2.pub user@host
Copy the code
(Not recommended) Enter the server. Manually set the permission for files and directories
Type the following command to install the public key on the server:
$ cd .ssh
$ cat id_rsa.pub >> authorized_keys
Copy the code
This completes the installation of the public key. To ensure a successful connection, ensure that the following file permissions are correct:
$ chmod 600 authorized_keys
$ chmod 700 ~/.ssh
Copy the code
3) Set SSH and enable the key login function
Edit the /etc/ssh/sshd_config file and set the following parameters:
RSAAuthentication Yes is deprecated after centos 7.4. You do not need to configure this option
PubkeyAuthentication yes
Copy the code
In addition, check whether the root user can log in through SSH:
PermitRootLogin yes
Copy the code
When you have completed all Settings and successfully logged in with the key, then disable password login:
PasswordAuthentication no
Copy the code
Finally, restart the SSH service:
$ systemctl restart sshd
Copy the code
2. Configure the private key config configuration on the client
In many cases, your development may need to connect to multiple remote servers and configure a private key for your Git server. So that many servers cannot share one set of private keys, and different servers should use different private keys. By default, SSH reads $HOME/.ssh/id_rsa as the private key to log in. If you want different servers to log in with different private keys, you need to write a config file in the.ssh directory to configure it.
Config is as simple as specifying which private key is required for which user to log in to which remote server. An example configuration is shown below.
Host github.com User jaychen IdentityFile ~/. SSH /id_rsa.github Host 192.168.1.1 User Ubuntu IdentityFile ~/.ssh/id_rsa.xxxCopy the code
Another approach supports mapping of names
Host test-liexiang HostName 192.168.1.21 User liexiang IdentityFile ~/. SSH /test-liexiangCopy the code
The parameter meanings of the config file are as follows:
- Host specifies the IP address of the remote Host.
- User refers to the User who logs in to the remote host.
- IdentityFile specifies which private key file to use.
After writing the config file, you need to change the config file permission to rw-r–r–. If the permission is too high, SSH will prohibit login.
Reference article:
- This section describes the SSH login process
- Github SSH key generation method without login to the server
3. Git can pull or push code without password
By deployment, I understand that the code can be quickly and automatically deployed to the target server under the premise that the user can guarantee the quality of the code.
For details, see Configuring SSH Public Keys
The host configuration is the same as above
1). Add the public key to coding
Output deployment male yue
$ cat coding.pub
Copy the code
Partially deploy the public key on the Git admin side
2). Test whether you can link [email protected] server
# Note that git.coding.net is connected to the CDN so it will resolve multiple different host IP addresses
$ ssh -T git@coding
The authenticity of host 'git.coding.net (123.59.85.184)' can't be established. RSA key fingerprint is 98:ab:2b:30:60:00:82:86:bb:85:db:87:22:c4:4f:b1. Are you sure you want to continue connecting (yes/no)? Yes Warning: Permanently added 'git.coding.net,123.59.85.184'(RSA) to the list of known hosts. CodingVe Connected to Coding.net via SSH. This is a deploy keyCopy the code
This is considered a successful connection
3). Clone code
Find the SSH address on the coding website (ignore the address, Tencent and coding are merging recently)
$ git clone [email protected]:user/project.git
Copy the code
This allows passwordless updates to the code
4. QA:
When configuring login, if you encounter login problems, you can trace them in the following ways
1) Use the verbose mode when logging in to the server using SSH
ssh server_name -vvv
Copy the code
You can enable the debug mode of sshd_config to view detailed error information about the server
$ vim /etc/ssh/sshd_config
# before
# LogLevel INFO
# changed to
LogLevel DEBUG
$ tail -20f /var/log/secure
Jun 9 12:05:11 23 sshd[26890]: debug1: PAM: setting PAM_RHOST to "192.168.1.101"
Jun 9 12:05:11 23 sshd[26890]: debug1: PAM: setting PAM_TTY to "ssh".Copy the code
View the login logs of the server
$ tail -20f /var/log/secure
Jun 9 12:05:11 23 sshd[26890]: debug1: PAM: setting PAM_RHOST to "192.168.1.101"
Jun 9 12:05:11 23 sshd[26890]: debug1: PAM: setting PAM_TTY to "ssh"
Jun 9 12:05:11 23 sshd[26890]: debug1: userauth-request for user liexiang service ssh-connection method publickey [preauth]
Jun 9 12:05:11 23 sshd[26890]: debug1: attempt 1 failures 0 [preauth]
Jun 9 12:05:11 23 sshd[26890]: debug1: temporarily_use_uid: 1000/1000 (e=0/0)
Jun 9 12:05:11 23 sshd[26890]: debug1: trying public key file /home/user/.ssh/authorized_keys
Jun 9 12:05:11 23 sshd[26890]: debug1: Could not open authorized keys '/home/user/.ssh/authorized_keys': Permission denied
Jun 9 12:05:11 23 sshd[26890]: debug1: restore_uid: 0/0
Copy the code