1, generate the local server SSH private key, if already exists, can be ignored.
$ssh-keygen-t rsagenerating public/private RSA key pair. Enter file in which to save the key (/ROOT/.SSH/ID_RSA):
All the way to the return, the local home directory ~/.ssh/generate a key file, check if it exists, can be ignored. (More Ssh-keygen use Help, see SSH-KEYGEN-H)
After the build, the following:
$ls-ltra ~/.ssh/id_rsa*-rw-r--r--. 1 root root 408 May 4 13:20/root/.ssh/id_rsa.pub-rw-------. 1 root root 1675 May 4 13:20/root/.ssh/id_rsa
2, SSH login to the remote server, open the firewall, such as opened, can be ignored
$/sbin/iptables-i input-i eth0-s 10.10.10.10-p tcp-m tcp--dports 22-j ACCEPT
After the firewall is enabled, verify that the local SSH 10.10.10.11 22 is available (assuming the local server ip:10.10.10.10, the remote server IP is: 10.10.10.11)
3, confirm that the remote server exists ~/.ssh/authorized_keys file and the corresponding directory, does not exist to create, no can be ignored.
$ls-ltra ~/| grep ssh drwx------. 2 root root 4096 May 4 13:38. ssh$ls-ltr. SSH/AUTHORIZED_KEYS-RW-------. 1 root root 408 May 4 13:38. Ssh/authorized_keys
Note: The permissions for file ~/.ssh/authorized_keys must be 600, the directory ~/.ssh/permission is 700, and no trust will expire.
4, copy the native generated public key file (~/.ssh/id_rsa.pub) content appended to the remote server ~/.ssh/authorized_keys
$cat. ssh/id_rsa.pub
Paste the contents of the above file into the target server ~/.ssh/authorized_keys.
5, if feel trouble, can ignore 3-4 two steps operation, use Ssh-copy-id command one step.
$ssh-copy-id-i ~/.ssh/id_rsa.pub 10.10.10.11$ssh-copy-id-husage:/usr/bin/ssh-copy-id [-I [Identity_file]] [[Email Protected]]machine
After completion, under normal circumstances, we can directly SSH to the remote server without a password locally.
If the local user Luser public key content is appended to the remote user Ruser home directory ~/.ssh/authorized_keys file, then the local user can ssh [email protected] (remote IP), need to access the user's correspondence must be clear.
6, abnormal situation, we will encounter some errors, even after the above steps have been done, still can not login without password.
Confirm Firewall OK
Verify that the remote ~/.ssh/authorized_keys file permissions are correct and there is no serial case.
Verify that the public key is correct
Quickly use SSH-VVV IP to view the execution of detailed procedures with or without error, and according to the actual situation to troubleshoot
View /var/log/audit/audit.log remote log error
Check the remote Target service/etc/ssh/sshd_config and local/etc/ssh/ssh_config configuration is normal
Try restarting the SSHD service
7, open sellinux after SSH need to use password login.
Look at the security context for the file as follows:
# ls -laz .ssh/drwx------ root root ? .dr-xr-x---. root root system_u:object_r:admin_ HOME_T:S0&NBSP, .... -rw-r--r-- root root ?    AUTHORIZED_KEYS-RWX------ root root ?          ID_DSA-RWX------ root root ? &nBSP;           ID_DSA.PUB-RWX------ root root ? id_ RSA-RWX------ root root ? id_rsa.pub
As above, the security context of my. SSH directory file does not match the normal, use restorecon-r-vv. ssh/fix, and set Sellinux to enforcing and restart the server for later.
Fix the following:
# Ls-laz. ssh/drwx------. Root root system_u:object_r:ssh_home_t:s0. dr-xr-x---. Root root system_u:object_r:admin_home_t:s0. -rw-r--r--. Root root system_u:object_r:ssh_home_t:s0 authorized_keys-rwx------. Root root system_u:object_r:ssh_home_t:s0 id_dsa-rwx------. Root root system_u:object_r:ssh_home_t:s0 id_dsa.pub-rwx------. Root root system_u:object_r:ssh_home_t:s0 id_rsa-rwx------. Root root System_u:object_r:ssh_home_t:s0 id_rsa.pub
If you find that the SSH directory is not ssh_home_t, use restorecon-r-vv/home/to recover the directory file security context.
This is usually caused by the fact that we initially mount the root directory on the home partition, do not partition separately, format the new partition and mount the home directory.
You can also use Setenforce 0 to turn SELinux off (or modify the/etc/selinux/config file restart to take effect)
More about Restorecon, see: Http://l.51yip.com/search/restorecon
# Getenforce Disabled[[email protected]_bj_10 ~]# setenforce Usage:setenforce [Enforcing | Permissive | 1 | 0]
This article is from the "composer" blog, make sure to keep this source http://zuoqujia.blog.51cto.com/9151800/1440322
Build a Linux SSH trust