vim /etc/ssh/sshd_config, 下面三行去掉注释符号# RSAAuthentication yes PubkeyAuthentication yes AuthorizedKeysFile .ssh/authorized_keys mkdir -p ~/.ssh chmod 700 ~/.ssh
生成公钥和私钥
[root@localhost .ssh]# cd ~/.ssh [root@localhost .ssh]# ssh-keygen -t rsa Generating public/private rsa key pair. Enter file in which to save the key (/root/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /root/.ssh/id_rsa. Your public key has been saved in /root/.ssh/id_rsa.pub. The key fingerprint is: 82:32:47:81:df:8e:6e:0f:ce:ee:a7:fd:f9:6e:52:47 root@localhost.localdomain The key's randomart image is: +--[ RSA 2048]----+ | .. | | . . | | ... | | .... E | | o oo. S . | | +. .. . . | | .. . . | | ooo. ... | | +*+o.o=o | +-----------------+ [root@localhost .ssh]#
配置
[root@localhost .ssh]# cat id_rsa.pub > authorized_keys [root@localhost .ssh]# chmod 600 authorized_keys [root@localhost .ssh]# ll total 12 -rw-------. 1 root root 408 Jul 11 23:02 authorized_keys -rw-------. 1 root root 1675 Jul 11 22:58 id_rsa -rw-r--r--. 1 root root 408 Jul 11 22:58 id_rsa.pub
下载id_rsa到本地,用pyTTYgen转换为.ppk文件,配置到putty中,配置登陆用户名root
login as: root Server refused our key root@192.168.88.133's password:
登陆失败。。。需要disable selinux
[root@localhost ~]# getenforce Enforcing [root@localhost ~]# setenforce 0 [root@localhost ~]# getenforce Permissive [root@localhost ~]#
再次尝试成功!
Using username "root". Authenticating with public key "imported-openssh-key" Last login: Mon Jul 11 23:27:25 2016 from 192.168.88.1 [root@localhost ~]#
永久disable selinux
/etc/selinux/config,修改SELINUX=disabled 或者permissive
问题原因:
生成的~/.ssh/authorized_keys 文件没有selinux上下文属性,导致无法通过Selinux认证,查看该文件属性如下:ll -Z filename
[root@postfixmx mnt]# restorecon -r -v /root 其它用户为/home
restorecon reset /root/.config context system_u:object_r:gconf_home_t:s0->system _u:object_r:config_home_t:s0
restorecon reset /root/.config/ibus context system_u:object_r:gconf_home_t:s0->s ystem_u:object_r:config_home_t:s0
restorecon reset /root/.config/ibus/bus context system_u:object_r:gconf_home_t:s 0->system_u:object_r:config_home_t:s0
restorecon reset /root/.ssh context unconfined_u:object_r:admin_home_t:s0->uncon fined_u:object_r:ssh_home_t:s0
restorecon reset /root/.ssh/authorized_keys context unconfined_u:object_r:admin_ home_t:s0->unconfined_u:object_r:ssh_home_t:s0
restorecon reset /root/.ssh/id_rsa context unconfined_u:object_r:admin_home_t:s0 ->unconfined_u:object_r:ssh_home_t:s0
restorecon reset /root/.ssh/id_rsa.pub context unconfined_u:object_r:admin_home_ t:s0->unconfined_u:object_r:ssh_home_t:s0
[root@postfixmx mnt]#
该命令的作用了恢复/home 目录下所有文件的默认selinux安全上下文属性。
------------------------
如果需要配置linux服务器之间的ssh无密码互访,可以使用上述的ssh key认证实现
对要登录的服务器上的/etc/ssh/sshd_config文件做如下修改,记得重启sshd服务啊!
RSAAuthentication yes #允许rsa key 认证
PubkeyAuthentication yes #允许rsa key 认证
PermitEmptyPasswords no #不允许空密码
PasswordAuthentication no #不允许密码认证,这个根据实际情况而定,一般有rsa key认证登陆的话,就没必要密码认证了
from的服务器上的.ssh目录中放置id_rsa即可。