我应该担心这个吗...?
我尝试推送到我的服务器上的 git 存储库,所以我想我做了这样的事情
git remote add [email protected]
当我应该做的时候
git remote add [email protected]
无论如何我认为它要求我的密码但没有意识到发生了什么我给了它,这很奇怪。我认为该网站也获得了我的私钥,因为它可能首先尝试在 ~/.ssh 中使用我的密钥。
我现在应该更改密码和/或 rsa 密钥吗?执行类似操作是否会使用错误的 pass 或 rsa 密钥记录错误的密码尝试?我是否应该担心如果出现这种情况,网站所有者会尝试闯入我的网站?
另外,由于从登录尝试中看不出来我的网站名称实际上是什么,我是否在无谓地担心?我可以假设他不会尝试以 games 开头的所有域名组合吗
I tried pushing onto a git repo on my server, so I thought I did something like this
git remote add [email protected]
When I should have done
git remote add [email protected]
Anyway I thought it was weird that it asked for my password but not realizing what was happening I gave it. I think the site also got my private key as it probably tried to use my key in ~/.ssh first.
Should I now change my password and/or rsa key? Does doing something like that log an incorrect password attempt with the incorrect pass or the rsa key? Should I worry that if it does, the owner of the site will try to break into my site?
Also as it's not obvious from the login attempt what my site name actually is, am I fretting for nothing? Can I assume he won't try every combination of domains that start with games
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
首先,很高兴您注意到自己的错误并且您足够关心在这里提出这个问题。我想大多数人都会恢复正常工作而不用担心。
您可能不必担心网站所有者闯入您的网站。通常 ssh-server 不记录密码。无论如何,为了安全起见,我都会更改密码。
将来,请尝试注意 ssh 给您的警告(在您的情况下可能缺少
known_hosts条目)并认真对待它们,而不是盲目地按“是”。First of all, it's good that you noticed your error and that you care enough to ask this question here. I'd assume most people would get back to business and not worry.
You probably don't have to worry about the owner of the site breaking into yours. Usually ssh-server do not log passwords. I would change my password anyway, just to be safe.
In the future, try to heed the warnings ssh gives you (in your case probably a missing
known_hostsentry) and take them seriously instead of mindlessly pressing 'yes'.编辑:正如所指出的,由于您在连接到未知站点时输入了密码,因此请更改它。
至于你的私钥,只要它不共享相同的密码就可以了——最多远程站点只会嗅到你的公钥、你想要的用户名和你正在使用的 IP。该地址的某人正在主动监视单个“连接失败”日志行或执行任何阴险操作的可能性非常非常小。
如果您需要更多鼓励,并希望了解有关此类交易通常如何进行的更多信息,请谷歌“diffie/hellman 密钥交换”。
EDIT: As pointed out, since you entered your password when connecting to the unknown site, change it.
As to your private key, its fine as long as it doesn't share the same password - at most the remote site would have got a sniff of your public key only, your intended username, and ip your were using. The likelihood that someone at that address is actively monitoring the single 'failed connection' log line, or doing anything insidious is very, very, very small.
If you need more encouragement, and want more information about how such transactions typically go down, google "diffie/hellman key exchange".