看到群友的机器被入侵了(默哀鸡哥三秒 🕯️)

Snipaste_2026-03-21_15-51-06.png

这里分享一个一键关闭 SSH 密码登录、改为密钥登录的方法。

SSH 密钥用途非常广,不只是登录服务器。比如我们平时 git push 到远程仓库,也常用它做身份认证。

1)本地生成 SSH 密钥(已有可跳过)

推荐 ed25519:

ssh-keygen -t ed25519 -C "ssh-login-key"

看到提示后路径直接回车即可,口令可按需设置:

  • 不设口令:方便但泄露风险高

  • 设口令:更安全但首次使用需输入

2)查看公钥

cat ~/.ssh/id_ed25519.pub

会得到一整行,例如:

ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAI...... ssh-login-key

下面脚本里的“替换成你的公钥”,都要替换成这整行。

3)一键配置(sudo 版本)

强烈建议:执行前先保持当前 SSH 会话不断开,再开新终端验证,避免把自己锁在门外。

sudo bash -c 'set -e

USER_NAME="${SUDO_USER:-$USER}"
USER_HOME="$(getent passwd "$USER_NAME" | cut -d: -f6)"

install -d -m 700 -o "$USER_NAME" -g "$USER_NAME" "$USER_HOME/.ssh"
touch "$USER_HOME/.ssh/authorized_keys"
grep -qxF "替换成你的公钥" "$USER_HOME/.ssh/authorized_keys" || echo "替换成你的公钥" >> "$USER_HOME/.ssh/authorized_keys"

chown "$USER_NAME:$USER_NAME" "$USER_HOME/.ssh/authorized_keys"
chmod 600 "$USER_HOME/.ssh/authorized_keys"

mkdir -p /root/.ssh
chmod 700 /root/.ssh
touch /root/.ssh/authorized_keys
grep -qxF "替换成你的公钥" /root/.ssh/authorized_keys || echo "替换成你的公钥" >> /root/.ssh/authorized_keys
chown root:root /root/.ssh/authorized_keys
chmod 600 /root/.ssh/authorized_keys

mkdir -p /etc/ssh/sshd_config.d

cat > /etc/ssh/sshd_config.d/99-key-only.conf <<'\''EOF'\''
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
PasswordAuthentication no
KbdInteractiveAuthentication no
ChallengeResponseAuthentication no
PermitRootLogin prohibit-password
UsePAM yes
EOF

sshd -t
systemctl reload ssh || systemctl restart ssh

echo
echo "[OK] 普通用户与 root 已写入公钥"
echo "[OK] 已关闭所有密码登录"
echo "[OK] root 允许密钥登录,禁止密码登录"
echo "[OK] 现在测试:"
echo "ssh root@服务器IP"
echo "ssh ${USER_NAME}@服务器IP"
'

4)无 sudo 版本(仅 root)

bash -c 'set -e

install -d -m 700 /root/.ssh
touch /root/.ssh/authorized_keys
grep -qxF "替换成你的公钥" /root/.ssh/authorized_keys || echo "替换成你的公钥" >> /root/.ssh/authorized_keys
chown root:root /root/.ssh/authorized_keys
chmod 600 /root/.ssh/authorized_keys

mkdir -p /etc/ssh/sshd_config.d

cat > /etc/ssh/sshd_config.d/99-key-only.conf <<'\''EOF'\''
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
PasswordAuthentication no
KbdInteractiveAuthentication no
ChallengeResponseAuthentication no
PermitRootLogin prohibit-password
UsePAM yes
EOF

sshd -t
systemctl reload ssh || systemctl restart ssh

echo
echo "[OK] root 公钥已写入"
echo "[OK] 已关闭所有密码登录"
echo "[OK] root 仅允许密钥登录"
echo "[OK] 请新开终端测试:"
echo "ssh root@服务器IP"
'

5)验证是否生效

新开一个终端,先测密钥登录:


ssh root@服务器IP

再故意测试密码登录(应失败):


ssh -o PreferredAuthentications=password -o PubkeyAuthentication=no root@服务器IP

如果密码方式失败,说明配置成功。