一次配置SSH公钥免密登录确仍需要密码验证的经历------selinux权限的坑
1.配置远程主机公钥
使用命令完成比较方便
[root@k8s-master ~]# ssh-copy-id
Usage: /usr/bin/ssh-copy-id [-h|-?|-f|-n] [-i [identity_file]] [-p port] [[-o <ssh -o options>] ...] [user@]hostname
-f: force mode -- copy keys without trying to check if they are already installed
-n: dry run -- no keys are actually copied
-h|-?: print this help
在本地主机生成公钥文件,没有密码。
[root@k8s-master ~]# ssh-keygen -t rsa
[root@k8s-master ~]# ssh-copy-id username@ip
2.使用ssh命令检测连接
[root@k8s-master ~]# ssh -vvv username@ip
仍然出现密码提示
3.查找原因
在远程主机上查看目录权限,
[itadmin@localhost ~]$ ls -ld ~/.ssh 权限为700
[itadmin@localhost ~]$ ls -ld ~/.ssh/authorized_keys 权限为600
[itadmin@localhost ~]$ tail -f /var/log/secure ssh连接的时候可以查看此日志输出判断错误信息
奇怪的是这几项检查都没有问题,对比sshd_config文件的配置内容和正常能登录的主机也没有什么两样。
并且两台主机都开启了selinux。
对呀,问题可能出现在开启了linux的强制安全选项,对权限的要求有狠多。。。。。。
使用下面的命令对比出了两台主机的不同之处,如图所示:
[itadmin@localhost ~]$ ls -laZd ~/.ssh
四、附命令参考
# man ls
-Z, --context
Display security context so it fits on most displays. Displays only mode, user, group, security context
and file name.
[itadmin@dlzhongtaitestapollo ~]$ chcon --help
Usage: chcon [OPTION]... CONTEXT FILE...
or: chcon [OPTION]... [-u USER] [-r ROLE] [-l RANGE] [-t TYPE] FILE...
or: chcon [OPTION]... --reference=RFILE FILE...
Change the SELinux security context of each FILE to CONTEXT.
With --reference, change the security context of each FILE to that of RFILE.
--dereference affect the referent of each symbolic link (this is
the default), rather than the symbolic link itself
-h, --no-dereference affect symbolic links instead of any referenced file
--reference=RFILE use RFILE's security context rather than specifying
a CONTEXT value
-R, --recursive operate on files and directories recursively
-v, --verbose output a diagnostic for every file processed
-u, --user=USER set user USER in the target security context
-r, --role=ROLE set role ROLE in the target security context
-t, --type=TYPE set type TYPE in the target security context
-l, --range=RANGE set range RANGE in the target security context
The following options modify how a hierarchy is traversed when the -R
option is also specified. If more than one is specified, only the final
one takes effect.
-H if a command line argument is a symbolic link
to a directory, traverse it
-L traverse every symbolic link to a directory
encountered
-P do not traverse any symbolic links (default)
--help display this help and exit
--version output version information and exit
Report chcon bugs to bug-coreutils@gnu.org
GNU coreutils home page: <http://www.gnu.org/software/coreutils/>
General help using GNU software: <http://www.gnu.org/gethelp/>
For complete documentation, run: info coreutils 'chcon invocation'
[itadmin@localhost ]$ man restorecon
NAME
restorecon - restore file(s) default SELinux security contexts.
SYNOPSIS
restorecon [-o outfilename ] [-R] [-n] [-p] [-v] [-e directory ] pathname...
restorecon -f infilename [-o outfilename ] [-e directory ] [-R] [-n] [-p] [-v] [-F]
DESCRIPTION
This manual page describes the restorecon program.
This program is primarily used to reset the security context (type) (extended attributes) on one or more files.
It can be run at any time to correct errors, to add support for new policy, or with the -n option it can just
check whether the file contexts are all as you expect.
If a file object does not have a context, restorecon will write the default context to the file object’s
extended attributes. If a file object has a context, restorecon will only modify the type portion of the secu-
rity context. The -F option will force a replacement of the entire context.
OPTIONS
-i ignore files that do not exist
-f infilename
infilename contains a list of files to be processed by application. Use - for stdin.
-e directory
directory to exclude (repeat option for more than one directory.)
-R -r change files and directories file labels recursively
-n don’t change any file labels.
-o outfilename
save list of files with incorrect context in outfilename.
-p show progress by printing * every 1000 files.
-v show changes in file labels.
-F Force reset of context to match file_context for customizable files, and the default file context, chang-
ing the user, role, range portion as well as the type.
ARGUMENTS
pathname... The pathname for the file(s) to be relabeled.
NOTE
restorecon does not follow symbolic links.
AUTHOR
This man page was written by Dan Walsh <dwalsh@redhat.com>. Some of the content of this man page was taken from
the setfiles man page written by Russell Coker <russell@coker.com.au>. The program was written by Dan Walsh
<dwalsh@redhat.com>.
SEE ALSO
load_policy(8), checkpolicy(8) setfiles(8)
2002031409 restorecon(8)
注:在centos6上有这个问题,我在centos7使用chcon命令修改了.ssh这个目录的权限也不存在这个问题。
[itadmin@localhost ~]$ uname -a
Linux localhost.localdomain 2.6.32-504.el6.x86_64 #1 SMP Tue Sep 16 01:56:35 EDT 2014 x86_64 x86_64 x86_64 GNU/Linux
参考连接:
