ssh 密钥登陆的文件权限问题
2021-11-29 本文已影响0人
蟹蟹宁
前因
自以为已经非常熟练的使用ssh密钥对登陆服务器的我,居然也翻车了……
昨天在服务器上开了一个新的用户,却发现无论怎么样也没办法登陆!
后果
今天早上又想起了这个人生污点,查了一下,确定原来是文件权限的问题,必须要给定如下的权限才可以。
之所以忘记了这个设定,是的,我回忆起了一开始用的时候的确是要配置文件权限的。是因为最近用的大多数我都用的默认权限,没有出问题,如下图。
可能版本不同?
调查
这个时候, 如果你想准确且快速的得到答案, 那么就去翻阅以下Linux的ssh手册[1]:
总结
我在外网, 找到了一个人做的对于常用配置文件的总结性表格[2]:
+------------------------+-------------------------------------+-------------+-------------+
| Directory or File | Man Page | Recommended | Mandatory |
| | | Permissions | Permissions |
+------------------------+-------------------------------------+-------------+-------------+
| ~/.ssh/ | There is no general requirement to | 700 | |
| | keep the entire contents of this | | |
| | directory secret, but the | | |
| | recommended permissions are | | |
| | read/write/execute for the user, | | |
| | and not accessible by others. | | |
+------------------------+-------------------------------------+-------------+-------------+
| ~/.ssh/authorized_keys | This file is not highly sensitive, | 600 | |
| | but the recommended permissions are | | |
| | read/write for the user, and not | | |
| | accessible by others | | |
+------------------------+-------------------------------------+-------------+-------------+
| ~/.ssh/config | Because of the potential for abuse, | | 600 |
| | this file must have strict | | |
| | permissions: read/write for the | | |
| | user, and not accessible by others. | | |
| | It may be group-writable provided | | |
| | that the group in question contains | | |
| | only the user. | | |
+------------------------+-------------------------------------+-------------+-------------+
| ~/.ssh/identity | These files contain sensitive data | | 600 |
| ~/.ssh/id_dsa | and should be readable by the user | | |
| ~/.ssh/id_rsa | but not accessible by others | | |
| | (read/write/execute) | | |
+------------------------+-------------------------------------+-------------+-------------+
| ~/.ssh/identity.pub | Contains the public key for | 644 | |
| ~/.ssh/id_dsa.pub | authentication. These files are | | |
| ~/.ssh/id_rsa.pub | not sensitive and can (but need | | |
| | not) be readable by anyone. | | |
+------------------------+-------------------------------------+-------------+-------------+
参考
- ^OpenBSD manual page - ssh(1) https://man.openbsd.org/ssh
- ^Permissions on private key in .ssh folder? https://superuser.com/questions/215504/permissions-on-private-key-in-ssh-folder