vim /etc/ssh/sshd_config, 下面三行去掉注释符号#
RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys mkdir -p ~/.ssh
chmod ~/.ssh
生成公钥和私钥
[root@localhost .ssh]# cd ~/.ssh
[root@localhost .ssh]# ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
::::df:8e:6e:0f:ce:ee:a7:fd:f9:6e:: root@localhost.localdomain
The key's randomart image is:
+--[ RSA ]----+
| .. |
| . . |
| ... |
| .... E |
| o oo. S . |
| +. .. . . |
| .. . . |
| ooo. ... |
| +*+o.o=o |
+-----------------+
[root@localhost .ssh]#
配置
[root@localhost .ssh]# cat id_rsa.pub > authorized_keys
[root@localhost .ssh]# chmod authorized_keys
[root@localhost .ssh]# ll
total
-rw-------. root root Jul : authorized_keys
-rw-------. root root Jul : id_rsa
-rw-r--r--. root root Jul : id_rsa.pub
下载id_rsa到本地,用pyTTYgen转换为.ppk文件,配置到putty中,配置登陆用户名root
login as: root
Server refused our key
root@192.168.88.133's password:
登陆失败。。。需要disable selinux
[root@localhost ~]# getenforce
Enforcing
[root@localhost ~]# setenforce
[root@localhost ~]# getenforce
Permissive
[root@localhost ~]#
再次尝试成功!
Using username "root".
Authenticating with public key "imported-openssh-key"
Last login: Mon Jul :: from 192.168.88.1
[root@localhost ~]#
永久disable selinux
/etc/selinux/config,修改SELINUX=disabled 或者permissive
问题原因:
生成的~/.ssh/authorized_keys 文件没有selinux上下文属性,导致无法通过Selinux认证,查看该文件属性如下:ll -Z filename
[root@postfixmx mnt]# restorecon -r -v /root 其它用户为/home
restorecon reset /root/.config context system_u:object_r:gconf_home_t:s0->system _u:object_r:config_home_t:s0
restorecon reset /root/.config/ibus context system_u:object_r:gconf_home_t:s0->s ystem_u:object_r:config_home_t:s0
restorecon reset /root/.config/ibus/bus context system_u:object_r:gconf_home_t:s 0->system_u:object_r:config_home_t:s0
restorecon reset /root/.ssh context unconfined_u:object_r:admin_home_t:s0->uncon fined_u:object_r:ssh_home_t:s0
restorecon reset /root/.ssh/authorized_keys context unconfined_u:object_r:admin_ home_t:s0->unconfined_u:object_r:ssh_home_t:s0
restorecon reset /root/.ssh/id_rsa context unconfined_u:object_r:admin_home_t:s0 ->unconfined_u:object_r:ssh_home_t:s0
restorecon reset /root/.ssh/id_rsa.pub context unconfined_u:object_r:admin_home_ t:s0->unconfined_u:object_r:ssh_home_t:s0
[root@postfixmx mnt]#
该命令的作用了恢复/home 目录下所有文件的默认selinux安全上下文属性。
------------------------
如果需要配置linux服务器之间的ssh无密码互访,可以使用上述的ssh key认证实现
对要登录的服务器上的/etc/ssh/sshd_config文件做如下修改,记得重启sshd服务啊!
RSAAuthentication yes #允许rsa key 认证
PubkeyAuthentication yes #允许rsa key 认证
PermitEmptyPasswords no #不允许空密码
PasswordAuthentication no #不允许密码认证,这个根据实际情况而定,一般有rsa key认证登陆的话,就没必要密码认证了
from的服务器上的.ssh目录中放置id_rsa即可。