Build Linux ssh trust and solutions to common problems
Build Linux ssh trust and solutions to common problems
1. generate an ssh private key for the local server. If it already exists, ignore it.
$ Ssh-keygen-t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/. ssh/id_rsa ):
Press enter to go to the local directory ~ /. Ssh/generate the key file. If the key file exists, ignore it. (For more information about how to use ssh-keygen, see ssh-keygen-h)
After generation, it is as follows:
$ Ls-ltra ~ /. Ssh/id_rsa *
-Rw-r --. 1 root 408 May 4/root/. ssh/id_rsa.pub
-Rw -------. 1 root 1675 May 4 13:20/root/. ssh/id_rsa
2. log on to the remote server through ssh and activate the firewall. If you have activated the firewall, ignore it.
$/Sbin/iptables-I input-I eth0-s 10.10.10.10-p tcp-m tcp -- dports 22-j ACCEPT
After activating the firewall, make sure that the local ssh 10.10.11 22 can be accessed (assume that the IP address of the local server is 10.10.10.10, And the IP address of the remote server is 10.10.10.11)
3. confirm that the remote server exists ~ /. Ssh/authorized_keys file and corresponding directory. If the file does not exist, you can ignore it if it is created or not.
$ Ls-ltra ~ /| Grep ssh
Drwx ------. 2 root 4096 May 4 13:38. ssh
$ Ls-ltr. ssh/authorized_keys
-Rw -------. 1 root 408 May 4 :38. ssh/authorized_keys
Note: file ~ /. The ssh/authorized_keys permission must be 600, directory ~ /. Ssh/the permission is 700, and the permission of the user's home directory must be 700. Otherwise, the trust will be invalid.
4. Copy the public key file generated by the Local Machine (~ /. Ssh/id_rsa.pub) content appended to the remote server ~ /. Ssh/authorized_keys
$ Cat. ssh/id_rsa.pub
Paste the content in the preceding file to the target server ~ /. Ssh/authorized_keys.
5. If you are in trouble, ignore 3-4 steps and use the ssh-copy-id command in one step.
$ Ssh-copy-id-I ~ /. Ssh/id_rsa.pub 10.10.10.11
$ Ssh-copy-id-h
Usage:/usr/bin/ssh-copy-id [-I [identity_file] [user @] machine
After that, we can log on to the remote server through ssh without a local password.
For example, append the content of the local user's luser Public Key to the remote user's ruser home directory ~ /. Ssh/authorized_keys file, then local users can ssh ruser@10.10.10.11 (remote ip), need to access the user's corresponding relationship must be clear.
6. In an abnormal situation, we may encounter some errors. Even after completing the above steps, we still cannot log on without a password.
OK
Confirm remote ~ The permissions of the/. ssh/authorized_keys file are correct, and the file is not serialized.
Make sure the Public Key is correct.
Use the ssh-vvv ip address to check whether an error is reported during the execution process and troubleshoot the error based on the actual situation.
View/var/log/audit. log remote logs and report an error
Check whether the remote target server/etc/ssh/sshd_config and local/etc/ssh/ssh_config configurations are normal.
Try To Restart sshd service
7. After sellinux is enabled, use the password to log on to the ssh client.
View the security context of the file as follows:
# Ls-laZ. ssh/
Drwx ------ root? .
Dr-xr-x ---. root system_u: object_r: admin_home_t: s0 ..
-Rw-r -- root? Authorized_keys
-Rwx ------ root? Id_dsa
-Rwx ------ root? Id_dsa.pub
-Rwx ------ root? Id_rsa
-Rwx ------ root? Id_rsa.pub
As shown above, the security context of my. ssh directory file is not properly matched. Use restorecon-r-vv. ssh/to fix the issue, set sellinux to enforcing, and restart the server to take effect.
The fix is as follows:
# Ls-laZ. ssh/
Drwx ------. root system_u: object_r: ssh_home_t: s0.
Dr-xr-x ---. root system_u: object_r: admin_home_t: s0 ..
-Rw-r --. root system_u: object_r: ssh_home_t: s0 authorized_keys
-Rwx ------. root system_u: object_r: ssh_home_t: s0 id_dsa
-Rwx ------. root system_u: object_r: ssh_home_t: s0 id_dsa.pub
-Rwx ------. root system_u: object_r: ssh_home_t: s0 id_rsa
-Rwx ------. root system_u: object_r: ssh_home_t: s0 id_rsa.pub
If the. ssh directory is not ssh_home_t as shown above, use restorecon-r-vv/home/to restore the security context of the directory file.
This problem is usually caused by the fact that the root directory is mounted to the home partition but not separately partitioned. This problem occurs after the new partition is formatted and the home directory is mounted.
You can also use setenforce 0 to disable SELinux (or modify the/etc/selinux/config file to restart and take effect) without repairing the file security context.
# Getenforce
Disabled
[Root @ dbbak_bj_10 ~] # Setenforce
Usage: setenforce [Enforcing | Permissive | 1 | 0]
How to Improve the SSH login authentication speed of Ubuntu
Enable the SSH service to allow Android phones to remotely access Ubuntu 14.04
How to add dual authentication for SSH in Linux
Configure the SFTP environment for non-SSH users in Linux
Configure and manage the SSH service on Linux
Basic SSH tutorial
This article permanently updates the link address: