linux上创建一个用户app,切换到app用户,生成rsa密钥串,实现app用户的免密码登陆:
#生成密钥
ssh-keygen -t rsa
#将自己的~/.ssh/id_rsa.pub内容均加到自己的~/.ssh/authorized_keys文件里
cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys
#权限
chmod 600 ~/.ssh/authorized_keys
然后进行免密登陆:
ssh app@10.134.32.1
password:
发现仍然需要输入密码。排查过程如下:
1、SELINUX:
vi /etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX=disabled
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of these two values:
# targeted - Targeted processes are protected,
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
确保SELINUX=disabled
2、查看/var/log/secure日志:
2.1)用户被锁:
Jan 31 11:48:16 yssf-Linux-004 sshd[30417]: User app not allowed because account is locked
Jan 31 11:50:16 yssf-Linux-004 sshd[30417]: fatal: Timeout before authentication for 10.5,246.28 port 55356
根据日志可以看到,app用户被锁。解锁用户方法如下:
#锁定用户
$ passwd -l app
Locking password for user app.
passwd: Success
#查看用户状态
$ passwd -S app
daygeek LK 2019-05-30 7 90 7 -1 (Password locked.)
#LK:密码被锁定
#NP:没有设置密码
#PS:密码已设置
#或者使用 /etc/shadow 文件检查锁定的用户帐户状态。如果帐户已被锁定,密码前面将添加两个感叹号。
$ grep daygeek /etc/shadow
daygeek:!!$6$tGvVUhEY$PIkpI43HPaEoRrNJSRpM3H0YWOsqTqXCxtER6rak5PMaAoyQohrXNB0YoFCmAuh406n8XOvBBldvMy9trmIV00:18047:7:90:7:::
#解锁用户
$ passwd -u app
Unlocking password for user app.
passwd: Success
2.2)权限:
May 17 17:17:15 shaofei-test-mysql-01 sshd[24719]: Failed password for root from 172.172.230.211 port 17890 ssh2
May 17 17:17:17 shaofei-test-mysql-01 sshd[24719]: Failed password for root from 172.172.230.211 port 17890 ssh2
May 17 17:17:17 shaofei-test-mysql-01 sshd[24721]: Connection closed by 172.172.230.211
May 17 18:08:26 shaofei-test-mysql-01 sshd[25004]: Authentication refused: bad ownership or modes for directory /root
May 17 18:08:26 shaofei-test-mysql-01 sshd[25004]: Authentication refused: bad ownership or modes for directory /root
日志中很清楚的反应了因为/root目录权限的问题,导致互信失败。后来发现172.172.230.210 上的/root 目录的权限为777,修改为700或者750问题解决。