Вопрос: Ошибка ssh «разрешения слишком открыта»


У меня была проблема с моим mac, где я больше не мог сохранить какой-либо файл на диске. Мне пришлось перезагрузить OSX lion и сбросить разрешения на файлы и acls.

Но теперь, когда я хочу зафиксировать репозиторий, я получаю следующую ошибку от ssh:

Permissions 0777 for '/Users/username/.ssh/id_rsa' are too open.
It is recommended that your private key files are NOT accessible by others.
This private key will be ignored.

Какие уровни разрешений я должен предоставить файлу id_rsa?


1213


источник


Ответы:


Ключи должны быть доступны только вам:

chmod 400 ~/.ssh/id_rsa

600 (как правило, лучше в большинстве случаев, потому что вам не нужно изменять права доступа к файлам для его редактирования).

Соответствующая часть из man-страницы ( man ssh)

 ~/.ssh/id_rsa
         Contains the private key for authentication.  These files contain sensitive 
         data and should be readable by the user but not
         accessible by others (read/write/execute).  ssh will simply ignore a private 
         key file if it is              
         accessible by others.  It is possible to specify a
         passphrase when generating the key which will be used to encrypt the sensitive 
         part of this file using 3DES.

 ~/.ssh/identity.pub
 ~/.ssh/id_dsa.pub
 ~/.ssh/id_ecdsa.pub
 ~/.ssh/id_rsa.pub
         Contains the public key for authentication.  These files are not sensitive and 
         can (but need not) be readable by anyone.

2098



Используя Cygwin в Windows 8.1, необходимо выполнить команду:

chgrp Пользователи ~ / .ssh / id_rsa

Тогда решение, размещенное здесь, может быть применено, 400 или 600 в порядке.

chmod 600 ~ / .ssh / id_rsa

Ref: http://vineetgupta.com/blog/cygwin-permissions-bug-on-windows-8


77



Локально-независимое решение, которое работает в Windows 8.1:

chgrp 545 ~/.ssh/id_rsa
chmod 600 ~/.ssh/id_rsa

GID 545 является специальный идентификатор который всегда относится к группе «Пользователи», даже если вы используете локаль для другого пользователя.


28



0600 - это то, что у меня установлено (и оно работает)


20



AFAIK the values are:

700 for the hidden directory ".ssh" where key file is located

600 for the keyfile "id_rsa"


18



There is one exception to the "0x00" permissions requirement on a key. If the key is owned by root and group-owned by a group with users in it, then it can be "0440" and any user in that group can use the key.

I believe this will work with any permissions in the set "0xx0" but I haven't tested every combination with every version. I have tried 0660 with 5.3p1-84 on CentOS 6, and the group not the primary group of the user but a secondary group, and it works fine.

This would typically not be done for someone's personal key, but for a key used for automation, in a situation where you don't want the application to be able to mess with the key.

Similar rules apply to the .ssh directory restrictions.


13



what worked for me

chgrp Users FOLDER

chmod 600 FOLDER


5



Intersting message here. Operating Syatems are smart enough to deny remote connections if your private key is too open. It understands the risk where permissions for id_rsa is wide open (read, is edittable by anyone).

{ One might have changed your lock first and then open it with the keys he already had. }

cd ~/.ssh
chmod 400 id_rsa

PS:

While working on the multiple servers (non-production), most of us feel need to connect remote server with ssh. A good idea is to have a pice of application level code (may be java using jsch) to create ssh trusts between servers. This way connection will be passwordless. Incase, perl is installed - one may use net ssh module too.


2



I have came across with this error while I was playing with Ansible. I have changed the permissions of the private key to 600 in order to solve this problem. And it worked!

chmod 600 .vagrant/machines/default/virtualbox/private_key

1



I am using VPC on EC2 and was getting the same error messages. I noticed I was using the public DNS. I changed that to the private DNS and vola!! it worked...


-2