centos ssh密钥_如何在CentOS 8上设置SSH密钥
介绍 (Introduction)

SSH, or secure shell, is an encrypted protocol used to administer and communicate with servers. When working with a CentOS server, chances are you will spend most of your time in a terminal session connected to your server through SSH.

SSH(或安全外壳)是用于管理服务器并与服务器通信的加密协议。 当使用CentOS服务器时,您很可能会花费大部分时间在通过SSH连接到服务器的终端会话中。

In this guide, we’ll focus on setting up SSH keys for a CentOS 8 server. SSH keys provide a straightforward, secure method of logging into your server and are recommended for all users.

在本指南中,我们将重点介绍为CentOS 8服务器设置SSH密钥。 SSH密钥提供了一种直接,安全的登录服务器的方法,建议所有用户使用。

步骤1 —创建RSA密钥对 (Step 1 — Creating the RSA Key Pair)

The first step is to create a key pair on the client machine (usually your local computer):


  • ssh-keygen


By default, ssh-keygen will create a 2048-bit RSA key pair, which is secure enough for most use cases (you may optionally pass in the -b 4096 flag to create a larger 4096-bit key).

缺省情况下, ssh-keygen将创建一个2048位RSA密钥对,对于大多数用例来说,这是足够安全的(您可以选择传入-b 4096标志来创建更大的4096位密钥)。

After entering the command, you should see the following prompt:


Generating public/private rsa key pair.Enter file in which to save the key (/your_home/.ssh/id_rsa):

Press ENTER to save the key pair into the .ssh/ subdirectory in your home directory, or specify an alternate path.


If you had previously generated an SSH key pair, you may see the following prompt:


/home/your_home/.ssh/id_rsa already exists.Overwrite (y/n)?

If you choose to overwrite the key on disk, you will not be able to authenticate using the previous key anymore. Be very careful when selecting yes, as this is a destructive process that cannot be reversed.

如果选择覆盖磁盘上的密钥,则将无法再使用先前的密钥进行身份验证。 选择是时要非常小心,因为这是一个破坏性的过程,无法逆转。

You should then see the following prompt:


Enter passphrase (empty for no passphrase):

Here you may optionally enter a secure passphrase, which is highly recommended. A passphrase adds an additional layer of security to your key, to prevent unauthorized users from logging in.

在这里,您可以选择输入安全密码,强烈建议您输入该密码。 密码短语为您的密钥增加了一层额外的安全保护,以防止未经授权的用户登录。

You should then see the following output:


Your identification has been saved in /your_home/.ssh/id_rsa.Your public key has been saved in /your_home/.ssh/id_rsa.pub.The key fingerprint is:a9:49:2e:2a:5e:33:3e:a9:de:4e:77:11:58:b6:90:26 username@remote_hostThe key's randomart image is:+--[ RSA 2048]----+| ..o || E o= . || o. o || .. || ..S || o o. || =o.+. ||. =++.. ||o=++. |+-----------------+

You now have a public and private key that you can use to authenticate. The next step is to get the public key onto your server so that you can use SSH-key-based authentication to log in.

现在,您具有可用于进行身份验证的公用和专用密钥。 下一步是将公钥放入服务器,以便您可以使用基于SSH密钥的身份验证进行登录。

步骤2 —将公钥复制到您的CentOS服务器 (Step 2 — Copying the Public Key to Your CentOS Server)

The quickest way to copy your public key to the CentOS host is to use a utility called ssh-copy-id. This method is highly recommended if available. If you do not have ssh-copy-id available to you on your client machine, you may use one of the two alternate methods that follow (copying via password-based SSH, or manually copying the key).

将公钥复制到CentOS主机的最快方法是使用名为ssh-copy-id的实用程序。 如果可用,强烈建议使用此方法。 如果客户端计算机上没有可用的ssh-copy-id ,则可以使用以下两种替代方法之一(通过基于密码的SSH复制或手动复制密钥)。

使用ssh-copy-id公钥 (Copying your Public Key Using ssh-copy-id)

The ssh-copy-id tool is included by default in many operating systems, so you may have it available on your local system. For this method to work, you must already have password-based SSH access to your server.

ssh-copy-id工具默认包含在许多操作系统中,因此您可能在本地系统上可以使用它。 为了使此方法起作用,您必须已经具有对服务器的基于密码的SSH访问。

To use the utility, you need only specify the remote host that you would like to connect to and the user account that you have password SSH access to. This is the account to which your public SSH key will be copied:

要使用该实用程序,您只需指定要连接的远程主机和具有密码SSH访问权限的用户帐户即可。 这是将您的公共SSH密钥复制到的帐户:

  • ssh-copy-id username@remote_host

    ssh-copy-id 用户名 @ remote_host

You may see the following message:


The authenticity of host ' (' can't be established.ECDSA key fingerprint is fd:fd:d4:f9:77:fe:73:84:e1:55:00:ad:d6:6d:22:fe.Are you sure you want to continue connecting (yes/no)? yes

This means that your local computer does not recognize the remote host. This will happen the first time you connect to a new host. Type yes and press ENTER to continue.

这意味着您的本地计算机无法识别远程主机。 这将在您第一次连接到新主机时发生。 键入yes ,然后按ENTER继续。

Next, the utility will scan your local account for the id_rsa.pub key that we created earlier. When it finds the key, it will prompt you for the password of the remote user’s account:

接下来,该实用程序将在您的本地帐户中扫描我们之前创建的id_rsa.pub密钥。 找到密钥后,它将提示您输入远程用户帐户的密码:

/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keysusername@'s password:

Type in the password (your typing will not be displayed for security purposes) and press ENTER. The utility will connect to the account on the remote host using the password you provided. It will then copy the contents of your ~/.ssh/id_rsa.pub key into the remote account’s ~/.ssh/authorized_keys file.

输入密码(出于安全考虑,您的输入将不会显示),然后按ENTER 。 该实用程序将使用您提供的密码连接到远程主机上的帐户。 然后它将~/.ssh/id_rsa.pub密钥的内容~/.ssh/id_rsa.pub到远程帐户的~/.ssh/authorized_keys文件中。

You should see the following output:


Number of key(s) added: 1Now try logging into the machine, with: "ssh 'username@'"and check to make sure that only the key(s) you wanted were added.

At this point, your id_rsa.pub key has been uploaded to the remote account. You can continue on to .

至此,您的id_rsa.pub密钥已上传到远程帐户。 您可以继续执行 。

使用SSH复制公钥 (Copying Public Key Using SSH)

If you do not have ssh-copy-id available, but you have password-based SSH access to an account on your server, you can upload your keys using a more conventional SSH method.

如果没有可用的ssh-copy-id ,但是您具有基于密码的SSH访问服务器上的帐户,则可以使用更传统的SSH方法上载密钥。

We can do this by using the cat command to read the contents of the public SSH key on our local computer and piping that through an SSH connection to the remote server.


On the other side, we can make sure that the ~/.ssh directory exists and has the correct permissions under the account we’re using.


We can then output the content we piped over into a file called authorized_keys within this directory. We’ll use the >> redirect symbol to append the content instead of overwriting it. This will let us add keys without destroying any previously added keys.

然后,我们可以将通过管道传输的内容输出到此目录中的一个名为authorized_keys的文件中。 我们将使用>>重定向符号来附加内容,而不是覆盖内容。 这将使我们能够添加密钥而不会破坏任何先前添加的密钥。

The full command looks like this:


  • cat ~/.ssh/id_rsa.pub | ssh username@remote_host "mkdir -p ~/.ssh && touch ~/.ssh/authorized_keys && chmod -R go= ~/.ssh && cat >> ~/.ssh/authorized_keys"

    猫〜/ .ssh / id_rsa.pub | ssh 用户名 @ remote_host “ mkdir -p〜 / .ssh &&触摸〜/ .ssh / authorized_keys && chmod -R go =〜/ .ssh && cat >>〜/ .ssh / authorized_keys”

You may see the following message:


The authenticity of host ' (' can't be established.ECDSA key fingerprint is fd:fd:d4:f9:77:fe:73:84:e1:55:00:ad:d6:6d:22:fe.Are you sure you want to continue connecting (yes/no)? yes

This means that your local computer does not recognize the remote host. This will happen the first time you connect to a new host. Type yes and press ENTER to continue.

这意味着您的本地计算机无法识别远程主机。 这将在您第一次连接到新主机时发生。 键入yes ,然后按ENTER继续。

Afterwards, you should be prompted to enter the remote user account password:


username@'s password:

After entering your password, the content of your id_rsa.pub key will be copied to the end of the authorized_keys file of the remote user’s account. Continue on to if this was successful.

输入密码后, id_rsa.pub密钥的内容将被复制到远程用户帐户的authorized_keys文件的末尾。 如果成功,请继续执行 。

手动复制公钥 (Copying Public Key Manually)

If you do not have password-based SSH access to your server available, you will have to complete the above process manually.


We will manually append the content of your id_rsa.pub file to the ~/.ssh/authorized_keys file on your remote machine.


To display the content of your id_rsa.pub key, type this into your local computer:


  • cat ~/.ssh/id_rsa.pub

    猫〜/ .ssh / id_rsa.pub

You will see the key’s content, which should look something like this:


ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCqql6MzstZYh1TmWWv11q5O3pISj2ZFl9HgH1JLknLLx44+tXfJ7mIrKNxOOwxIxvcBF8PXSYvobFYEZjGIVCEAjrUzLiIxbyCoxVyle7Q+bqgZ8SeeM8wzytsY+dVGcBxF6N4JS+zVk5eMcV385gG3Y6ON3EG112n6d+SMXY0OEBIcO6x+PnUSGHrSgpBgX7Ks1r7xqFa7heJLLt2wWwkARptX7udSq05paBhcpB0pHtA1Rfz3K2B+ZVIpSDfki9UVKzT8JUmwW6NNzSgxUfQHGwnW7kj4jp4AT0VZk3ADw497M2G/12N0PPB5CnhHf7ovgy6nL1ikrygTKRFmNZISvAcywB9GVqNAVE+ZHDSCuURNsAInVzgYo9xgJDW8wUw2o8U77+xiFxgI5QSZX3Iq7YLMgeksaO4rBJEa54k8m5wEiEE1nUhLuJ0X/vh2xPff6SQ1BL/zkOhvJCACK6Vb15mDOeCSq54Cr7kvS46itMosi/uS66+PujOO+xt/2FWYepz6ZlN70bRly57Q06J+ZJoc9FfBCbCyYH7U/ASsmY095ywPsBo1XQ9PqhnN1/YOorJ068foQDNVpm146mUpILVxmq41Cj55YKHEazXGsdBIbXWhcrRf4G2fJLRcGUr9q8/lERo9oxRm5JFX6TCmj6kmiFqv+Ow9gI0x8GvaQ== sammy@host

Log in to your remote host using whichever method you have available.


Once you have access to your account on the remote server, you should make sure the ~/.ssh directory exists. This command will create the directory if necessary, or do nothing if it already exists:

一旦可以访问远程服务器上的帐户,就应确保~/.ssh目录存在。 如果需要,此命令将创建目录;如果目录已经存在,则不执行任何操作:

  • mkdir -p ~/.ssh

    mkdir -p〜/ .ssh

Now, you can create or modify the authorized_keys file within this directory. You can add the contents of your id_rsa.pub file to the end of the authorized_keys file, creating it if necessary, using this command:

现在,您可以在此目录中创建或修改authorized_keys文件。 您可以将您的内容添加id_rsa.pub文件到结束authorized_keys文件,如果有必要创建它,使用这个命令:

  • echo public_key_string >> ~/.ssh/authorized_keys

    回声public_key_string >>〜/ .ssh / authorized_keys

In the above command, substitute the public_key_string with the output from the cat ~/.ssh/id_rsa.pub command that you executed on your local system. It should start with ssh-rsa AAAA....

在上面的命令中,将public_key_string替换为您在本地系统上执行的public_key_string cat ~/.ssh/id_rsa.pub命令的输出。 它应该以ssh-rsa AAAA...开头。

Finally, we’ll ensure that the ~/.ssh directory and authorized_keys file have the appropriate permissions set:


  • chmod -R go= ~/.ssh

    chmod -R go =〜/ .ssh

This recursively removes all “group” and “other” permissions for the ~/.ssh/ directory.


If you’re using the root account to set up keys for a user account, it’s also important that the ~/.ssh directory belongs to the user and not to root:


  • chown -R sammy:sammy ~/.ssh

    chown -R sammy : 萨米 〜/ .ssh

In this tutorial our user is named sammy but you should substitute the appropriate username into the above command.


We can now attempt key-based authentication with our CentOS server.


步骤3 —使用SSH密钥登录到CentOS服务器 (Step 3 — Logging In to Your CentOS Server Using SSH Keys)

If you have successfully completed one of the procedures above, you should now be able to log into the remote host without the remote account’s password.


The initial process is the same as with password-based authentication:


  • ssh username@remote_host

    ssh 用户名 @ remote_host

If this is your first time connecting to this host (if you used the last method above), you may see something like this:


The authenticity of host ' (' can't be established.ECDSA key fingerprint is fd:fd:d4:f9:77:fe:73:84:e1:55:00:ad:d6:6d:22:fe.Are you sure you want to continue connecting (yes/no)? yes

This means that your local computer does not recognize the remote host. Type yes and then press ENTER to continue.

这意味着您的本地计算机无法识别远程主机。 键入yes ,然后按ENTER继续。

If you did not supply a passphrase when creating your key pair in step 1, you will be logged in immediately. If you supplied a passphrase you will be prompted to enter it now. After authenticating, a new shell session should open for you with the configured account on the CentOS server.

如果在步骤1中创建密钥对时未提供密码短语,则将立即登录。 如果您提供了密码,将提示您立即输入密码。 验证之后,应使用CentOS服务器上配置的帐户为您打开一个新的Shell会话。

If key-based authentication was successful, continue on to learn how to further secure your system by disabling your SSH server’s password-based authentication.


步骤4 —在服务器上禁用密码身份验证 (Step 4 — Disabling Password Authentication on your Server)

If you were able to login to your account using SSH without a password, you have successfully configured SSH-key-based authentication to your account. However, your password-based authentication mechanism is still active, meaning that your server is still exposed to brute-force attacks.

如果您能够使用SSH无需密码登录到帐户,则说明您已成功为帐户配置了基于SSH密钥的身份验证。 但是,基于密码的身份验证机制仍然处于活动状态,这意味着您的服务器仍然容易受到暴力攻击。

Before completing the steps in this section, make sure that you either have SSH-key-based authentication configured for the root account on this server, or preferably, that you have SSH-key-based authentication configured for a non-root account on this server with sudo privileges. This step will lock down password-based logins, so ensuring that you will still be able to get administrative access is crucial.

在完成本节中的步骤之前,请确保已为此服务器上的帐户配置了基于SSH密钥的身份验证,或者最好是为此服务器上的非根帐户配置了基于SSH密钥的身份验证。具有sudo特权的服务器。 此步骤将锁定基于密码的登录,因此确保您仍然能够获得管理访问权限至关重要。

Once you’ve confirmed that your remote account has administrative privileges, log into your remote server with SSH keys, either as root or with an account with sudo privileges. Then, open up the SSH daemon’s configuration file:

确认远程帐户具有管理特权后,请以SSH密钥(具有root用户身份或具有sudo特权的帐户)登录到远程服务器。 然后,打开SSH守护程序的配置文件:

  • sudo vi /etc/ssh/sshd_config

    须藤vi / etc / ssh / sshd_config

Inside the file, search for a directive called PasswordAuthentication. This may be commented out with a # hash. Press i to put vi into insertion mode, and then uncomment the line and set the value to no. This will disable your ability to log in via SSH using account passwords:

在文件内部,搜索名为PasswordAuthentication的指令。 这可以用#哈希注释掉。 按ivi置于插入模式,然后取消注释该行并将其值设置为no 。 这将禁用您使用帐户密码通过SSH登录的功能:

/ etc / ssh / sshd_config
...PasswordAuthentication no...

When you are finished making changes, press ESC and then :wq to write the changes to the file and quit. To actually implement these changes, we need to restart the sshd service:

完成更改后,按ESC ,然后按:wq将更改写入文件并退出。 要实际实现这些更改,我们需要重新启动sshd服务:

  • sudo systemctl restart sshd

    sudo systemctl重新启动sshd

As a precaution, open up a new terminal window and test that the SSH service is functioning correctly before closing your current session:


  • ssh username@remote_host

    ssh 用户名 @ remote_host

Once you have verified your SSH service is still working properly, you can safely close all current server sessions.


The SSH daemon on your CentOS server now only responds to SSH keys. Password-based authentication has successfully been disabled.

CentOS服务器上的SSH守护程序现在仅响应SSH密钥。 基于密码的身份验证已成功禁用。

结论 (Conclusion)

You should now have SSH-key-based authentication configured on your server, allowing you to sign in without providing an account password.


If you’d like to learn more about working with SSH, take a look at our .

如果您想了解有关使用SSH的更多信息,请查看我们的 。


