本来是很通用的命令, 但是就是不工作。
1 问题记录
[root@cdc-cmssim38 ~]# ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
/root/.ssh/id_rsa already exists.
Overwrite (y/n)? y
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
b0:f1:af:78:2d:3b:6e:55:f7:19:f0:77:b6:78:1d:c4 root@cdc-cmssim38
The key's randomart image is:
+--[ RSA 2048]----+
| . |
| . E |
| o + |
| = . .++|
| . S . ..oO|
| .. . +o|
| o. . |
| .=.. |
| .+++ |
+-----------------+
[root@cdc-cmssim38 ~]#
[root@cdc-cmssim38 ~]#
[root@cdc-cmssim38 ~]# ssh-copy-id -i /root/.ssh/id_rsa.pub root@xx.xx.xx.xx
root@10.245.250.39's password:
Now try logging into the machine, with "ssh 'root@10.245.250.39'", and check in:
.ssh/authorized_keys
to make sure we haven't added extra keys that you weren't expecting.
但是ssh 自动登录不工作, 如果从39 到38 其实是设置成功的。
2 查找问题, 发现有几种可能
1)系统有bug
[root@cdc-cmssim39 ~]# restorecon -R -v ~/
尝试之后发现不能解决。
2)权限问题
比如这里
Make sure the permissions on the ~/.ssh
directory and its contents are proper. When I first set up my ssh key auth, I didn't have the ~/.ssh
folder properly set up, and it yelled at me.
Your home directory
~
, your~/.ssh
directory and the~/.ssh/authorized_keys
file on the remote machine must be writable only by you:rwx------
andrwxr-xr-x
are fine, butrwxrwx---
is no good¹, even if you are the only user in your group (if you prefer numeric modes:700
or755
, not775
).
If~/.ssh
orauthorized_keys
is a symbolic link, the canonical path (with symbolic links expanded) is checked.Your
~/.ssh/authorized_keys
file (on the remote machine) must be readable (at least 400), but you'll need it to be also writable (600) if you will add any more keys to it.Your private key file (on the local machine) must be readable and writable only by you:
rw-------
, i.e.600
.Also, if SELinux is set to enforcing, you may need to run
restorecon -R -v ~/.ssh
(see e.g. Ubuntu bug 965663 and Debian bug report #658675; this is patched in CentOS 6).
其实呢还是不work。
后来找到了log
/var/log/secure:
Dec 1 13:36:10 cdc-cmssim39 sshd[16909]: Authentication refused: bad ownership or modes for directory /root
Dec 1 13:36:15 cdc-cmssim39 sshd[16909]: Accepted password for root from 10.245.250.38 port 50385 ssh2
Dec 1 13:36:15 cdc-cmssim39 sshd[16909]: pam_unix(sshd:session): session opened for user root by (uid=0)
解决办法
http://www.howtogeek.com/168156/fixing-authentication-refused-bad-ownership-or-modes-for-directory/
[root@cdc-cmssim39 ~]# chmod go-w ~/
[root@cdc-cmssim39 ~]# chmod 700 ~/.ssh
[root@cdc-cmssim39 ~]# chmod 600 ~/.ssh/authorized_keys
现在没有问题了 ^_^