此方法在VMWARE5.5上测试成功。在本文里远程服务器的地址是192.168.0.30 。大家可以使用域名IP地址来替换。本文中服务器和客户端的系统都是OpenBSD。

1. 安装OpenBSD。关于安装OpenBSD的方法就不在此说明，网上有很多教程。

2. 生成认证密钥

正常安装OpenBSD的话，Openssh是默认被安装的。用ssh-keygen在客户端的openbsd系统上生成认证密钥对。

语法：ssh-keygen [-b bits] -t type

说明：-b 后面接数字 1024，2048，3072，4096 数字越大破解更困难，1024 基本可以满足网上商业活动。-t 后面接加密算法类型，详情请看Openssh manual 页。

例：

先用一个用户登录到客户端。再这里我是用root。

# ssh-keygen -b 1024 -t rsa

Generating public/private rsa key pair.

Enter file in which to save the key (/root/.ssh/id_rsa): （输入存储路径，一般默认即可）

Enter passphrase (empty for no passphrase): （输入密码来保护私钥，针对私钥暴露的情况）

Enter same passphrase again: （重新输入密码）

Your identification has been saved in /root/.ssh/id_rsa.

Your public key has been saved in /root/.ssh/id_rsa.pub.

The key fingerprint is:

fc:cc:ab:48:68:b1:e2:13:ab:91:d9:89:47:ad:85:18 root@bnn.my.domain

3 使用公钥

现在~/.ssh/目录里面已经生成了此用户的认证密钥对。（id_rsa和 id_rsa.pub）id_rsa.pub就是公钥。把这个公钥复制到要登录的远程服务器的~/.ssh/目录里，改文件名为authorized_keys 。在这里我用的是root。

# scp /root/.ssh/id_rsa.pub root@192.168.0.30:/root/.ssh/authorized_keys

RSA key fingerprint is ef:05:e5:1c:26:31:59:b8:fb:3f:50:55:67:dd:3f:9e.

Are you sure you want to continue connecting (yes/no)? yes

Warning: Permanently added '192.168.0.30' (RSA) to the list of known hosts.

root@192.168.0.30's password: （输入远程服务器用户密码）

id_rsa.pub 100% 229 0.2KB/s 00:00

现在可以用密钥来登录

# ssh root@192.168.0.30

Enter passphrase for key '/root/.ssh/id_rsa': （输入私钥密码）

Last login: Fri May 19 09:54:03 2006

Welcome to OpenBSD: The proactively secure Unix-like operating system.

Please use the sendbug(1) utility to report bugs in the system.

Before reporting a bug, please try to reproduce it with the latest

version of the code. With bug reports, please try to ensure that

enough information to reproduce the problem is enclosed, and if a

known fix for it exists, include that as well.

Terminal type? [vt100]

Read the afterboot(8) man page for administration advice.

#

现在用密钥可以登录到远程服务器。但是如果没有密钥，有用户密码也可以登录到远程服务器。那么我们修改一下/etc/ssh/sshd_config 来禁止用密码远程登录。在远程服务器

# vi /etc/ssh/sshd_config

#PasswordAuthentication yes 改成 去掉注释#号 PasswordAuthentication no 然后重新启动远程服务器。

现在我们作一个实验。在客户端先备份认证密钥对，然后删除，再用ssh远程登录到远程服务器。

# cd /root/.ssh/

# mkdir /root/.ssh/backup

# cp id_rsa* backup

# rm id_rsa*

# ssh 192.168.0.30

Permission denied (publickey,keyboard-interactive).

服务器不允许登录。

再恢复备份

# cd /root/.ssh/

# ls

backup

# cp ./backup/id_rsa* ./

再用ssh远程登录到远程服务器。

# ssh root@192.168.0.30

Enter passphrase for key '/root/.ssh/id_rsa':

Last login: Fri May 19 10:14:36 2006

Welcome to OpenBSD: The proactively secure Unix-like operating system.

Please use the sendbug(1) utility to report bugs in the system.

Before reporting a bug, please try to reproduce it with the latest

version of the code. With bug reports, please try to ensure that

enough information to reproduce the problem is enclosed, and if a

known fix for it exists, include that as well.

Terminal type? [vt100]

Read the afterboot(8) man page for administration advice.

#

又可以登录了。但是只能用密钥来登录。修改sshd_config 后，服务器上所有用户都必须有自己的认证密钥对才能登录服务器了。

这里还有一个思路，觉得很有趣就写在这里。 用VMWARE 安装一个OpenBSD 虚拟机。然后设置好nat。能使虚拟机OpenBSD上网，然后用上述方法设置。用虚拟机来管理远程服务器。在windows用ssh客户端软件来管理 OpenBSD虚拟机。这样一来整个操作过程是用ssh客户端程序登录到OpenBSD虚拟机，然后再用密钥登录到远程服务器。