1) Gen key
C:\Ken\Perl\Learning>ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/c/Users/chenk6/.ssh/id_rsa):[Enter]
Enter passphrase (empty for no passphrase):[Enter]
Enter same passphrase again:[Enter]
Your identification has been saved in /c/Users/chenk6/.ssh/id_rsa.
Your public key has been saved in /c/Users/chenk6/.ssh/id_rsa.pub.
The key fingerprint is:
48:fc:6f:4d:01:28:bc:53:3c:17:66:0c:e0:be:6b:ca chenk6@CNRDCHENK6L1C
2) Create .ssh dir on remote host if necessary
[lpadmin@eng56433 lpadmin]$ mkdir .ssh
[lpadmin@eng56433 lpadmin]$ chmod 700 .ssh
### Important mode change, otherwise 'Authentication refused: bad ownership or modes for file /home/nasadmin/.ssh' in /var/log/secure
3) scp the key to remote host
c:\Users\chenk6\.ssh>scp id_rsa.pub lpadmin@10.245.64.33:/home/lpadmin/.ssh
4) On remote host, add this public key to “authorized_keys”:
[lpadmin@eng56433 .ssh]$ cat id_rsa.pub >> authorized_keys
[lpadmin@eng56433 .ssh]$ chmod 600 authorized_keys
### Important mode change, otherwise 'Authentication refused: bad ownership or modes for file /home/nasadmin/.ssh/authorized_keys' in /var/log/secure
5) Execute remote command without password
c:\Users\chenk6\.ssh>ssh lpadmin@10.245.64.33 "id lpadmin > whoami"
Tips,
1) turn on the ssh -v -vvv for debugging
2) Check the following lines are enabled in /etc/ssh/ssh_config
LoginGraceTime 120
PermitRootLogin yes
StrictModes yes
…
StrictModes yes
PubkeyAuthentication yes
3) If we still can't get it worked (usually for root user), check if SELinux prohibits from reading "authorized_keys"
cd /var/log and grep -r authorized_keys *
If find something like
...
audit/audit.log:type=AVC msg=audit(1367795090.214:41348): avc: denied { read } for pid=25998 comm="sshd" name="authorized_keys" dev=dm-0 ino=1835026 scontext=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file
...
Execute the following command to fix this.
restorecon -v /root/.ssh/authorized_keys
Or we can disable the SELinux which usually is not a good idea.
setenforce 0