Linux 之 SSH免密登陆之二 配置无效解析

• 错误1 文件夹及文件权限解析
• 错误2 文件夹的标签错误解析

---

错误1 文件夹及文件权限解析

Question

免密登陆无法生效。

Answer

• .ssh目录的权限必须是700
• .ssh/authorized_keys文件权限必须是600
  基本的操作为

chmod 700 /root/.sshchmod 600 /root/.ssh/authorized_keys

Reference

原因是权限过高导致了ssh登陆的安全性得不到保证，所以造成了实效，官方文档如下:

man sshd.....     ~/.ssh/authorized_keys             Lists the public keys (DSA/ECDSA/RSA) that can be used for logging in as this user.  The format of             this file is described above.  The content of the file is not highly sensitive, but the recommended             permissions are read/write for the user, and not accessible by others.             If this file, the ~/.ssh directory, or the user's home directory are writable by other users, then the             file could be modified or replaced by unauthorized users.  In this case, sshd will not allow it to be             used unless the StrictModes option has been set to “no”.........

---

错误2 文件夹的标签错误解析

Question

在某些Linux系统(Redhat 6.5 ／ Centos 7)上，设置了问题1并不能解决问题，我们通过ssh -v 调试发现问题。

sh-3.2# ssh -v root@192.168.100.63OpenSSH_6.9p1, LibreSSL 2.1.8debug1: Reading configuration data /etc/ssh/ssh_configdebug1: /etc/ssh/ssh_config line 21: Applying options for *debug1: Connecting to 192.168.100.63 [192.168.100.63] port 22.debug1: Connection established.debug1: permanently_set_uid: 0/0debug1: identity file /var/root/.ssh/id_rsa type 1debug1: key_load_public: No such file or directorydebug1: identity file /var/root/.ssh/id_rsa-cert type -1debug1: key_load_public: No such file or directorydebug1: identity file /var/root/.ssh/id_dsa type -1debug1: key_load_public: No such file or directorydebug1: identity file /var/root/.ssh/id_dsa-cert type -1debug1: key_load_public: No such file or directorydebug1: identity file /var/root/.ssh/id_ecdsa type -1debug1: key_load_public: No such file or directorydebug1: identity file /var/root/.ssh/id_ecdsa-cert type -1debug1: key_load_public: No such file or directorydebug1: identity file /var/root/.ssh/id_ed25519 type -1debug1: key_load_public: No such file or directorydebug1: identity file /var/root/.ssh/id_ed25519-cert type -1debug1: Enabling compatibility mode for protocol 2.0debug1: Local version string SSH-2.0-OpenSSH_6.9debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3debug1: match: OpenSSH_5.3 pat OpenSSH_5* compat 0x0c000000debug1: Authenticating to 192.168.100.63:22 as 'root'debug1: SSH2_MSG_KEXINIT sentdebug1: SSH2_MSG_KEXINIT receiveddebug1: kex: server->client aes128-ctr umac-64@openssh.com nonedebug1: kex: client->server aes128-ctr umac-64@openssh.com nonedebug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<3072<8192) sentdebug1: got SSH2_MSG_KEX_DH_GEX_GROUPdebug1: SSH2_MSG_KEX_DH_GEX_INIT sentdebug1: got SSH2_MSG_KEX_DH_GEX_REPLYdebug1: Server host key: ssh-rsa SHA256:mxdRr3cfr86jDyAS8l7MoxfsM0GQqJkAlp0G2XwHBLM# 说明已经验证成功了 找到了 authorithy_keys 的记录debug1: Host '192.168.100.63' is known and matches the RSA host key.debug1: Found key in /var/root/.ssh/known_hosts:19debug1: SSH2_MSG_NEWKEYS sentdebug1: expecting SSH2_MSG_NEWKEYSdebug1: SSH2_MSG_NEWKEYS receiveddebug1: SSH2_MSG_SERVICE_REQUEST sentdebug1: SSH2_MSG_SERVICE_ACCEPT receiveddebug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password# 下方说明没有验证成功，导致了 跳到了下一个阶段的验证debug1: Next authentication method: publickeydebug1: Offering RSA public key: /var/root/.ssh/id_rsadebug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,passworddebug1: Trying private key: /var/root/.ssh/id_dsadebug1: Trying private key: /var/root/.ssh/id_ecdsadebug1: Trying private key: /var/root/.ssh/id_ed25519debug1: Next authentication method: password

Answer

因为之前使用ssh-keygen -t rsa命令生成的.ssh文件夹免密配置都是成功的。但是，我们通过mkdir -p自己创建的一直不成功！通过查找资料得知，原来是文件夹竟然还有一个叫做标签的东西。通过如下的命令可以知道，差别在于何处:

＃.bak 是我通过重命名过的系统自己生成的.ssh文件夹[root@rhel6 ~]# ls -laZdrwx------. root root unconfined_u:object_r:ssh_home_t:s0 .bakdrwx------. root root unconfined_u:object_r:admin_home_t:s0 .ssh

发现系统生成的确实是用一个叫做ssh_home_t:s0的标签，但是我们自己创建的为admin_home_t:s0，所以我们改变下就可以了;

改造命令如下所示:

restorecon -r -vv /root/.ssh# 其它用户 换成 ~/.ssh

那么问题就可以解决了，关于chmod命令和ssh免密脚本会在其它文章内具体详解。

---

参考文献

[1] ssh设置免密码登陆仍然需要密码
[2] CentOS SSH公钥登录问题
[3] 一次由SELinux引起的ssh公钥认证失败问题
[4] ssh key生成和配置
[5] ssh免密登录方法不生效？
[6] ssh配置authorized_keys后仍然需要输入密码的问题
[7]ssh配置authorized_keys后仍然需要输入密码的问题