Build Linux ssh trust and solutions to common problems

Source: Internet
Author: User

Build Linux ssh trust and solutions to common problems

Build Linux ssh trust and solutions to common problems

1. generate an ssh private key for the local server. If it already exists, ignore it.
$ Ssh-keygen-t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/. ssh/id_rsa ):

Press enter to go to the local directory ~ /. Ssh/generate the key file. If the key file exists, ignore it. (For more information about how to use ssh-keygen, see ssh-keygen-h)
After generation, it is as follows:
$ Ls-ltra ~ /. Ssh/id_rsa *
-Rw-r --. 1 root 408 May 4/root/. ssh/id_rsa.pub
-Rw -------. 1 root 1675 May 4 13:20/root/. ssh/id_rsa

2. log on to the remote server through ssh and activate the firewall. If you have activated the firewall, ignore it.
$/Sbin/iptables-I input-I eth0-s 10.10.10.10-p tcp-m tcp -- dports 22-j ACCEPT

After activating the firewall, make sure that the local ssh 10.10.11 22 can be accessed (assume that the IP address of the local server is 10.10.10.10, And the IP address of the remote server is 10.10.10.11)

3. confirm that the remote server exists ~ /. Ssh/authorized_keys file and corresponding directory. If the file does not exist, you can ignore it if it is created or not.
$ Ls-ltra ~ /| Grep ssh
Drwx ------. 2 root 4096 May 4 13:38. ssh
$ Ls-ltr. ssh/authorized_keys
-Rw -------. 1 root 408 May 4 :38. ssh/authorized_keys

Note: file ~ /. The ssh/authorized_keys permission must be 600, directory ~ /. Ssh/the permission is 700, and the permission of the user's home directory must be 700. Otherwise, the trust will be invalid.

4. Copy the public key file generated by the Local Machine (~ /. Ssh/id_rsa.pub) content appended to the remote server ~ /. Ssh/authorized_keys
$ Cat. ssh/id_rsa.pub

Paste the content in the preceding file to the target server ~ /. Ssh/authorized_keys.

5. If you are in trouble, ignore 3-4 steps and use the ssh-copy-id command in one step.
$ Ssh-copy-id-I ~ /. Ssh/id_rsa.pub 10.10.10.11

$ Ssh-copy-id-h
Usage:/usr/bin/ssh-copy-id [-I [identity_file] [user @] machine

After that, we can log on to the remote server through ssh without a local password.
For example, append the content of the local user's luser Public Key to the remote user's ruser home directory ~ /. Ssh/authorized_keys file, then local users can ssh ruser@10.10.10.11 (remote ip), need to access the user's corresponding relationship must be clear.


6. In an abnormal situation, we may encounter some errors. Even after completing the above steps, we still cannot log on without a password.
OK

Confirm remote ~ The permissions of the/. ssh/authorized_keys file are correct, and the file is not serialized.

Make sure the Public Key is correct.

Use the ssh-vvv ip address to check whether an error is reported during the execution process and troubleshoot the error based on the actual situation.

View/var/log/audit. log remote logs and report an error

Check whether the remote target server/etc/ssh/sshd_config and local/etc/ssh/ssh_config configurations are normal.

Try To Restart sshd service

7. After sellinux is enabled, use the password to log on to the ssh client.
View the security context of the file as follows:
# Ls-laZ. ssh/
Drwx ------ root? .
Dr-xr-x ---. root system_u: object_r: admin_home_t: s0 ..
-Rw-r -- root? Authorized_keys
-Rwx ------ root? Id_dsa
-Rwx ------ root? Id_dsa.pub
-Rwx ------ root? Id_rsa
-Rwx ------ root? Id_rsa.pub

As shown above, the security context of my. ssh directory file is not properly matched. Use restorecon-r-vv. ssh/to fix the issue, set sellinux to enforcing, and restart the server to take effect.

The fix is as follows:
# Ls-laZ. ssh/
Drwx ------. root system_u: object_r: ssh_home_t: s0.
Dr-xr-x ---. root system_u: object_r: admin_home_t: s0 ..
-Rw-r --. root system_u: object_r: ssh_home_t: s0 authorized_keys
-Rwx ------. root system_u: object_r: ssh_home_t: s0 id_dsa
-Rwx ------. root system_u: object_r: ssh_home_t: s0 id_dsa.pub
-Rwx ------. root system_u: object_r: ssh_home_t: s0 id_rsa
-Rwx ------. root system_u: object_r: ssh_home_t: s0 id_rsa.pub

If the. ssh directory is not ssh_home_t as shown above, use restorecon-r-vv/home/to restore the security context of the directory file.

This problem is usually caused by the fact that the root directory is mounted to the home partition but not separately partitioned. This problem occurs after the new partition is formatted and the home directory is mounted.

You can also use setenforce 0 to disable SELinux (or modify the/etc/selinux/config file to restart and take effect) without repairing the file security context.

# Getenforce
Disabled
[Root @ dbbak_bj_10 ~] # Setenforce
Usage: setenforce [Enforcing | Permissive | 1 | 0]

How to Improve the SSH login authentication speed of Ubuntu

Enable the SSH service to allow Android phones to remotely access Ubuntu 14.04

How to add dual authentication for SSH in Linux

Configure the SFTP environment for non-SSH users in Linux

Configure and manage the SSH service on Linux

Basic SSH tutorial

This article permanently updates the link address:

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.