项目的自动打版工具需要用到scp,想要不输入密码,就在两个机器上建立了信任关系
A机器
1、# ssh-keygen -b 1024 -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
d1:25:06:5b:77:c6:6b:15:2a:62:cf:8e:b9:92:d7:25 root@bogon
The key's randomart image is:
+--[ RSA 1024]----+
| ..+ o.o..|
| = + oo .|
| oo.. . o |
| ..+ . o |
| S o . |
| +E . |
| .o..o |
| o ... |
| o. |
+-----------------+
2、#scp -p /root/.ssh/id_rsa.pub root@B机器_ip:/root/.ssh/authorized_keys
这里首次还需要输入一次密码
本来到这里就可以了。但是使用scp的时候仍然需要输入密码。
网上查看了一些资料,大多是 authorized_keys和.ssh文件的权限有问题,
开始修改文件权限
chmod 700 authorized_keys
chmod 600 authorized_keys
chmod 644 authorized_keys
包括.ssh文件的权限。之后仍然不行。
又修改 /etc/ssh/sshd_config文件
#PermitRootLogin yes
#RSAAuthentication yes
#PubkeyAuthentication yes
将这些设置打开,还是不行。
在A机器上
#cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys
#ssh -vvv localhost 调试
# ssh -vvv localhost
OpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to localhost [::1] port 22.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug1: identity file /root/.ssh/identity type -1
debug1: identity file /root/.ssh/identity-cert type -1
debug3: Not a RSA1 key file /root/.ssh/id_rsa.
debug2: key_type_from_name: unknown key type '-----BEGIN'
debug3: key_read: missing keytype
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug2: key_type_from_name: unknown key type '-----END'
debug3: key_read: missing keytype
debug1: identity file /root/.ssh/id_rsa type 1
debug1: identity file /root/.ssh/id_rsa-cert type -1
debug1: identity file /root/.ssh/id_dsa type -1
debug1: identity file /root/.ssh/id_dsa-cert type -1
debug1: identity file /root/.ssh/id_ecdsa type -1
debug1: identity file /root/.ssh/id_ecdsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3
debug1: match: OpenSSH_5.3 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.3
debug2: fd 3 setting O_NONBLOCK
debug1: SSH2_MSG_KEXINIT sent
debug3: Wrote 864 bytes for a total of 885
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com,ssh-rsa-cert-v00@openssh.com,ssh-dss
发现没有问题,问题就出现在B机器上。
同事告诉我,查看selinux状态看看。
#/usr/sbin/sestatus -v
发现selinux是开启的。执行
#setenforce 0
关闭了selinux,scp就可以正常使用了。
同事告诉我说,很多奇怪的问题都是selinux造成的,一般都会把selinux关闭。
查了查资料,发现selinux策略很少有人去维护,会有很多限制,导致很多问题,所以一般都会关闭它。