给 VPS 配置 SSH 密钥免密登录
免密登录原理
利用密钥生成器制作一对密钥 —— 公钥和私钥。将公钥添加到服务器的某个账户上,然后在客户端利用私钥即可完成认证并登录。
生成 SSH 密钥对
输入命令 ssh-keygen 然后按 4 次 Enter 键就行了。
root@p3ter:~# ssh-keygen # 输入命令,按 Enter 键
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): # 保存位置,默认就行,按 Enter 键
Enter passphrase (empty for no passphrase): # 输入密钥密码,按 Enter 键。填写后每次都会要求输入密码,留空则实现无密码登录。
Enter same passphrase again: # 再次输入密钥密码,按 Enter 键
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:GYT9YqBV4gDIgzTYEWFs3oGZjp8FWXArBObfhPlPzIk root@p3ter
The key's randomart image is:
+---[RSA 2048]----+
|*OO%+ .+o |
|*=@.+++o. |
| *o=.=.... |
|. +.B + +o. |
| . + E *S. |
| o o |
| . |
| |
| |
+----[SHA256]-----+现在,在当前用户的根目录中生成了一个 .ssh 的隐藏目录,内含两个密钥文件。id_rsa 为私钥,id_rsa.pub 为公钥。
安装公钥
cd .ssh/
cat id_rsa.pub >> authorized_keys 修改权限
chmod 600 authorized_keys
chmod 700 ~/.ssh修改 sshd 配置文件
开启密钥登录
编辑 /etc/ssh/sshd_config 文件添加或修改以下参数进行更改:
RSAAuthentication yes
PubkeyAuthentication yes重启 sshd 服务
service sshd restart禁用密码登录
确认密钥能成功登录后,更改以下参数:
PasswordAuthentication no重启 sshd 服务
service sshd restartSHELL脚本
#!/usr/bin/env bash
# -*- coding: utf-8 -*-
# 功能:一键配置 SSH 公钥登录(简化版,无备份操作)
# 注意:请先确认 ~/.ssh/id_rsa.pub 存在,且你有权限修改 sshd_config
set -euo pipefail
echo ""
echo "=== SSH 公钥登录配置脚本(简化版) ==="
echo "当前用户: $USER"
echo "家目录 : $HOME"
echo ""
# 1. 准备 .ssh 目录
mkdir -p ~/.ssh
chmod 700 ~/.ssh
# 2. 添加公钥到 authorized_keys
PUBKEY_FILE="$HOME/.ssh/id_rsa.pub"
if [[ ! -f "$PUBKEY_FILE" ]]; then
echo "错误:未找到公钥文件 $PUBKEY_FILE"
echo "请先把公钥保存到该位置,或修改脚本中的 PUBKEY_FILE 变量"
exit 1
fi
echo "检测到公钥:$PUBKEY_FILE"
echo "即将追加到 ~/.ssh/authorized_keys"
# 直接追加(不去重、不备份)
cat "$PUBKEY_FILE" >> ~/.ssh/authorized_keys
chmod 600 ~/.ssh/authorized_keys
echo "公钥已追加到 authorized_keys,权限已设为 600"
echo ""
# 3. 修改 sshd_config(开启公钥认证)
SSHD_CONFIG="/etc/ssh/sshd_config"
# 尝试修改已存在的行
sudo sed -i '/^#*RSAAuthentication/s/.*/RSAAuthentication yes/' "$SSHD_CONFIG" 2>/dev/null || true
sudo sed -i '/^#*PubkeyAuthentication/s/.*/PubkeyAuthentication yes/' "$SSHD_CONFIG" 2>/dev/null || true
# 如果没匹配到就追加
grep -q "^PubkeyAuthentication yes" "$SSHD_CONFIG" || echo "PubkeyAuthentication yes" | sudo tee -a "$SSHD_CONFIG" >/dev/null
grep -q "^RSAAuthentication yes" "$SSHD_CONFIG" || echo "RSAAuthentication yes" | sudo tee -a "$SSHD_CONFIG" >/dev/null
echo "sshd_config 已更新:公钥认证已启用"
echo ""
# 4. 重启 ssh 服务
echo "正在重启 sshd 服务..."
if command -v systemctl >/dev/null 2>&1; then
sudo systemctl restart sshd 2>/dev/null || sudo systemctl restart ssh
elif command -v service >/dev/null 2>&1; then
sudo service sshd restart 2>/dev/null || sudo service ssh restart
else
echo "无法自动重启 sshd,请手动执行:"
echo " sudo systemctl restart sshd 或 sudo service ssh restart"
exit 2
fi
echo "sshd 已重启"
echo ""
# 5. 询问是否禁用密码登录
echo "重要:请在新终端测试能否免密登录!"
echo " ssh $USER@localhost"
echo ""
echo "确认能正常免密登录后再禁用密码登录"
read -p "是否现在禁用密码登录?(y/N) " -n 1 -r
echo
if [[ $REPLY =~ ^[Yy]$ ]]; then
echo "正在禁用密码登录..."
sudo sed -i '/^#*PasswordAuthentication/s/.*/PasswordAuthentication no/' "$SSHD_CONFIG" 2>/dev/null || true
grep -q "^PasswordAuthentication no" "$SSHD_CONFIG" || echo "PasswordAuthentication no" | sudo tee -a "$SSHD_CONFIG" >/dev/null
# 再次重启
if command -v systemctl >/dev/null 2>&1; then
sudo systemctl restart sshd 2>/dev/null || sudo systemctl restart ssh
elif command -v service >/dev/null 2>&1; then
sudo service sshd restart 2>/dev/null || sudo service ssh restart
fi
echo "密码登录已禁用"
else
echo "已跳过禁用密码登录(可后期手动修改 PasswordAuthentication no)"
fi
echo ""
echo "配置完成!"
echo "强烈建议:"
echo " 1. 新开终端测试 ssh $USER@localhost 是否免密成功"
echo " 2. 从外部机器再测试一次"
echo " 3. 确认能正常登录后再关闭当前会话"
echo ""