Linux服务器 Linux SSH Key-based Login SSH Passwordless Login Linux Server Management SSH Key Generation CentOS SSH Configuration 2025-12-08 271 views

Why Use SSH Key Login (Password-Free Login)

In Linux server management, SSH (Secure Shell) is a common tool for remote connection. While traditional password login is simple, it carries the risk of password brute-force attacks. SSH key login (password-free login) uses asymmetric encryption, offering higher security and eliminating the need to enter a password repeatedly, making it more convenient.

Prerequisites

  • Client: Local computer (Windows/Linux/macOS). Ensure an SSH client is installed: Linux/macOS have it pre-installed; Windows needs tools like Git Bash or PuTTY.
  • Server: Target Linux server (e.g., CentOS, Ubuntu). Verify the SSH service is installed (usually pre-installed; check with ssh -V).

Step 1: Generate SSH Key Pair (Client)

Generate a private key (local-only, for authentication) and a public key (upload to the server) on the local client.

  1. Open the local terminal (Terminal for Linux/macOS, Git Bash for Windows) and run: 
   ssh-keygen -t rsa -b 4096
  • -t rsa: Specifies the key type as RSA.
  • -b 4096: Key length (4096 bits for higher security; optional, default is 2048 bits).

  1. Follow the prompts:
    - Press Enter to accept the default path for the key file (~/.ssh/id_rsa, where ~ is the user’s home directory).
    - Leave the passphrase empty (otherwise, you’ll be prompted for the passphrase every time you connect; recommended for beginners).

  2. After generation, two files appear in ~/.ssh:
    - id_rsa: Private key (keep this secure; set permissions to 600).
    - id_rsa.pub: Public key (safe to share; used for uploading to the server).

Step 2: Copy Public Key to Server

Upload the client’s public key to the server’s ~/.ssh/authorized_keys (where the server stores allowed public keys).

Run the command (replace username and server_ip): 

ssh-copy-id -i ~/.ssh/id_rsa.pub username@server_ip
  • -i: Specifies the public key file path (default ~/.ssh/id_rsa.pub).
  • Enter the server password, and the public key will be automatically copied to ~/.ssh/authorized_keys with proper permissions.

Case 2: Windows Client (Manual Copy)

  1. Open the local public key file id_rsa.pub (via Notepad or a text editor) and copy its content.
  2. Log in to the server (via password), then run in the terminal: 
   mkdir -p ~/.ssh  # Create .ssh directory if it doesn’t exist
   cd ~/.ssh
   echo "public_key_content" >> authorized_keys  # Paste the copied public key
   chmod 600 authorized_keys  # Set permissions for the public key file (critical!)
   chmod 700 ~/.ssh  # Set permissions for the .ssh directory

Step 3: Server-Side Configuration (Allow Key Login)

Ensure the server’s SSH service (sshd) allows public key authentication and optionally disables password login.

  1. Edit the SSH config file sshd_config: 
   sudo vim /etc/ssh/sshd_config

  1. Verify/modify these key options (ensure they are uncommented and set to yes):
    - PubkeyAuthentication yes: Enable public key authentication (default is yes).
    - AuthorizedKeysFile .ssh/authorized_keys: Specify the public key file path (default is correct).
    - To disable password login (only allow key login), set PasswordAuthentication no (retain yes temporarily for safety).

  2. Save the file and restart the SSH service: 

   sudo systemctl restart sshd  # CentOS/RHEL
   # or
   sudo systemctl restart ssh  # Ubuntu/Debian

Step 4: Test Client Connection (Password-Free Login)

After configuration, connect to the server without a password:

  1. Run the connection command: 
   ssh username@server_ip
  • On the first connection, you’ll be prompted: “Are you sure you want to continue connecting (yes/no)?” Enter yes.
  • You’ll log in successfully without entering a password!

Common Issues & Solutions

  1. Permission Errors:
    - Server: authorized_keys must have 600 permissions (chmod 600 ~/.ssh/authorized_keys); otherwise, you’ll get “Permission denied”.
    - Client: id_rsa must have 600 permissions (chmod 600 ~/.ssh/id_rsa); otherwise, SSH will warn “Bad permissions on private key file”.

  2. Still Prompted for Password:
    - Check if PubkeyAuthentication yes in sshd_config (server-side).
    - Confirm the public key is correctly copied to authorized_keys with no extra spaces/newlines.

  3. Forgot Private Key Passphrase:
    - If you set a passphrase during key generation, enter it when connecting. If not (left empty in Step 1), no passphrase is needed.
    - To reset, delete ~/.ssh/id_rsa and id_rsa.pub, then re-generate keys via Step 1.

Summary

SSH key login avoids password leakage risks while simplifying the login process. The core steps are: generate key pair → upload public key to server → configure server to allow key login. Pay attention to file permissions and configuration correctness. Practice on a local environment before deploying to production.

Tip: To fully disable password login, set PasswordAuthentication no in sshd_config and restart the SSH service.

Related Articles

Essential for Beginners: 5 Basic Linux Server Commands 2025-12-08 Zero to Hero: A Guide to Installing Linux on a Server 2025-12-08 Understanding Linux SSH Service: A Complete Guide to Configuration and Usage 2025-12-08 Setting up Apache on Linux Servers: Quick Deployment of Websites 2025-12-08 Beginner's Guide to Nginx: From Installation to Reverse Proxy Configuration 2025-12-08
Xiaoye