当前位置: 文江博客话题详情

ssh“权限过于开放”

发布于 2025-01-05 21:18:18 字数 250 浏览 0 评论 0原文

我从 ssh 收到以下错误:

Permissions 0777 for '/Users/username/.ssh/id_rsa' are too open.
It is recommended that your private key files are NOT accessible by others.
This private key will be ignored.

我应该向 id_rsa 文件授予什么权限?

原文

I get the following error from ssh:

Permissions 0777 for '/Users/username/.ssh/id_rsa' are too open.
It is recommended that your private key files are NOT accessible by others.
This private key will be ignored.

What permissions should I give to the id_rsa file?

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(30

半城柳色半声笛 2025-01-12 21:18:18

密钥只能由您读写:

chmod 600 ~/.ssh/id_rsa

或者,密钥只能由您读取(这也会阻止您的写入访问):

chmod 400 ~/.ssh/id_rsa

在大多数情况下,600 似乎更好,因为您不需要稍后无需更改文件权限即可对其进行编辑。 (有关更多细微差别,请参阅注释)

联机帮助页中的相关部分 (man ssh)

<前><代码> ~/.ssh/id_rsa
包含用于身份验证的私钥。这些文件包含敏感信息
数据并且应该由用户可读,但不是
可供其他人访问(读/写/执行)。 ssh 将简单地忽略私有
密钥文件(如果是)
可供其他人访问。可以指定一个
生成将用于加密敏感信息的密钥时的密码
该文件的一部分使用 3DES。

〜/.ssh/identity.pub
〜/.ssh/id_dsa.pub
〜/.ssh/id_ecdsa.pub
〜/.ssh/id_rsa.pub
包含用于身份验证的公钥。这些文件不敏感并且
任何人都可以(但不需要)阅读。

The keys need to be read-writable only by you:

chmod 600 ~/.ssh/id_rsa

Alternatively, the keys can be only readable by you (this also blocks your write access):

chmod 400 ~/.ssh/id_rsa

600 appears to be better in most cases, because you don't need to change file permissions later to edit it. (See the comments for more nuances)

The relevant portion from the manpage (man ssh)

 ~/.ssh/id_rsa
         Contains the private key for authentication.  These files contain sensitive 
         data and should be readable by the user but not
         accessible by others (read/write/execute).  ssh will simply ignore a private 
         key file if it is              
         accessible by others.  It is possible to specify a
         passphrase when generating the key which will be used to encrypt the sensitive 
         part of this file using 3DES.

 ~/.ssh/identity.pub
 ~/.ssh/id_dsa.pub
 ~/.ssh/id_ecdsa.pub
 ~/.ssh/id_rsa.pub
         Contains the public key for authentication.  These files are not sensitive and 
         can (but need not) be readable by anyone.
回复 原文
信愁 2025-01-12 21:18:18

在Windows 8.1中使用Cygwin,需要运行一个命令:

chgrp Users ~/.ssh/id_rsa

然后可以应用这里发布的解决方案,400或600都可以。

chmod 600 ~/.ssh/id_rsa

参考此处

Using Cygwin in Windows 8.1, there is a command need to be run:

chgrp Users ~/.ssh/id_rsa

Then the solution posted here can be applied, 400 or 600 is OK.

chmod 600 ~/.ssh/id_rsa

Reference here

回复 原文
空心空情空意 2025-01-12 21:18:18

我的 Windows 10 中出现错误,因此我将权限设置为以下内容并且它有效。

id_rsa 的权限Windows 10

具体来说,删除其他用户/组,直到只剩下“SYSTEM”和“Administrators”。然后将您的 Windows 登录名添加到其中,并仅授予读取权限。

请注意,id_rsa 文件位于 c:\users\ 文件夹下。

I've got the error in my windows 10 so I set permission as the following and it works.

Permission for id_rsa of windows 10

In details, remove other users/groups until it has only 'SYSTEM' and 'Administrators'. Then add your windows login into it with Read permission only.

Note the id_rsa file is under the c:\users\<username> folder.

回复 原文
二智少女 2025-01-12 21:18:18

Windows 10 ssh 到 Ubuntu EC2 在 AWS 上出现“权限过于开放”错误

我在尝试使用来自 AWS 的 .pem 文件 ssh 到 Ubuntu EC2 实例时遇到了这个问题。

在 Windows 中,当我将此密钥放入 .ssh 文件夹下创建的文件夹中时,此方法有效。

C:\Users\USERNAME\.ssh\private_key

要更改 Windows 10 中的权限设置:

文件设置>安全>高级

禁用继承

将继承权限转换为显式权限

删除除管理员之外的所有权限条目

然后可以安全连接。

Windows 10 ssh into Ubuntu EC2 “permissions are too open” error on AWS

I had this issue trying to ssh into an Ubuntu EC2 instance using the .pem file from AWS.

In windows this worked when I put this key in a folder created under the .ssh folder

C:\Users\USERNAME\.ssh\private_key

To change permission settings in Windows 10 :

File Settings > Security > Advanced

Disable inheritance

Convert Inherited Permissions Into Explicit Permissions

Remove all the permission entries except for Administrators

Could then connect securely.

回复 原文
窗影残 2025-01-12 21:18:18

适用于 Windows 8.1 的独立于区域设置的解决方案是:

chgrp 545 ~/.ssh/id_rsa
chmod 600 ~/.ssh/id_rsa

GID 545 是一个特殊 ID,始终引用“用户”组,即使您的区域设置对“用户”使用不同的单词。

The locale-independent solution that works on Windows 8.1 is:

chgrp 545 ~/.ssh/id_rsa
chmod 600 ~/.ssh/id_rsa

GID 545 is a special ID that always refers to the 'Users' group, even if you locale uses a different word for Users.

回复 原文
一袭水袖舞倾城 2025-01-12 21:18:18

0600 是我的设置(并且正在工作)

0600 is what mine is set at (and it's working)

回复 原文
勿挽旧人 2025-01-12 21:18:18

据我所知,这些值是:

  • 700 表示关键文件所在的隐藏目录 .ssh

  • 600 表示密钥文件 id_rsa

AFAIK the values are:

  • 700 for the hidden directory .ssh where key files are located

  • 600 for the keyfile id_rsa

回复 原文
梦巷 2025-01-12 21:18:18

当我尝试使用公钥登录远程 ftp 服务器时,我遇到了类似的问题。
为了解决这个问题,我做了以下过程:

  • 首先找到公钥的位置,因为当你尝试登录ftp时,会使用这个公钥。
  • 或者,您可以创建一个密钥并将该密钥的权限设置为 600
  • 确保您位于正确的位置并执行以下命令:
chmod 600 id_rsa

I have got a similar issue when i was trying to login to remote ftp server using public keys.
To solve this issue I have done the following process:

  • First find the location of the public keys, because when you try to login to ftp, this public key is used.
  • Alternatively, you can create a key and set that key's permissions to 600.
  • Make sure you are in the correct location and perform this command:
chmod 600 id_rsa
回复 原文
策马西风 2025-01-12 21:18:18

我使用 sudo 取得了成功

sudo chmod 400 pem-file.pem
sudo ssh -i pem-file.pem [email protected]

I got success with sudo

sudo chmod 400 pem-file.pem
sudo ssh -i pem-file.pem [email protected]
回复 原文
旧街凉风 2025-01-12 21:18:18

在 Windows 10 上,cygwin 的 chmodchgrp 对我来说还不够。我必须

  • 右键单击该文件
  • ->属性
  • ->安全(选项卡)
  • 并删除除我的活动用户之外的所有用户和组。

On Windows 10, cygwin's chmod and chgrp weren't enough for me. I had to

  • right click on the file
  • -> Properties
  • -> Security (tab)
  • and remove all users and groups except for my active user.
回复 原文
執念 2025-01-12 21:18:18

提供400许可,
执行以下命令

chmod 400 /Users/username/.ssh/id_rsa

在此输入图像描述

provide 400 permission,
execute below command

chmod 400 /Users/username/.ssh/id_rsa

enter image description here

回复 原文
忆离笙 2025-01-12 21:18:18

对于 Windows:

奇怪,但之前描述的 UI 调整对我没有帮助

但这解决了问题:

  1. 在管理员权限下打开PowerShell
  2. 使用密钥进入目录(使用cd命令)
  3. 一一输入命令

$path = ".\{your private key file name}" //for example "myKey"

所以类似于:

$path = ".\mykey"

然后通过键入以下内容删除显式权限:

icacls.exe $path /reset

然后分配给当前用户读取权限:

icacls.exe $path /GRANT:R "$($env:USERNAME):(R)"

然后删除继承:

icacls.exe $path /inheritance:r

希望能帮助某人

在此处输入图像描述

for Windows :

Strange, but UI tweaks, described here before did not helped me.

But this solved the issue :

  1. Open PowerShell under admin rights
  2. Go to directory with your keys (using cd command)
  3. Enter commands one by one

:

$path = ".\{your private key file name}" //for example "myKey"

so something like :

$path = ".\mykey"

Then remove your explicit permissions by typing:

icacls.exe $path /reset

Then assign to current user read-permission:

icacls.exe $path /GRANT:R "$($env:USERNAME):(R)"

Then remove inheritance:

icacls.exe $path /inheritance:r

Hope, will help someone

enter image description here

回复 原文
日久见人心 2025-01-12 21:18:18

仅限 Windows 用户。
转到文件属性 -->安全-->高级

  1. 禁用继承属性
  2. 将继承的权限转换为显式权限。
  3. 删除除管理员之外的所有权限条目。
    输入图像描述此处

For windows users Only.
Goto file property --> security --> advanced

  1. Disable inheritance property
  2. Convert Inherited Permissions Into Explicit Permissions.
  3. Remove all the permission entries except the Administrators.
    enter image description here

enter image description here

回复 原文
奢望 2025-01-12 21:18:18

密钥的 0x00 权限要求有一个例外。如果密钥由 root 拥有,并且由包含用户的组拥有,那么它可以是 0440 并且该组中的任何用户都可以使用该密钥。

我相信这适用于0xx0集中的任何权限,但我还没有测试每个版本的每个组合。我在 CentOS 6 上尝试过 06605.3p1-84,该组不是用户的主要组,而是次要组,并且效果很好。

这通常不会针对某人的个人密钥执行,而是针对用于自动化的密钥执行,在您不希望应用程序能够弄乱密钥的情况下。

类似的规则适用于 .ssh 目录限制。

There is one exception to the 0x00 permissions requirement on a key. If the key is owned by root and group-owned by a group with users in it, then it can be 0440 and any user in that group can use the key.

I believe this will work with any permissions in the set 0xx0 but I haven't tested every combination with every version. I have tried 0660 with 5.3p1-84 on CentOS 6, and the group not the primary group of the user but a secondary group, and it works fine.

This would typically not be done for someone's personal key, but for a key used for automation, in a situation where you don't want the application to be able to mess with the key.

Similar rules apply to the .ssh directory restrictions.

回复 原文
邮友 2025-01-12 21:18:18

只需使用以下内容:

sudo chmod 600 [Location of Private Key]/[Name of Private Key]
sudo chmod 700 [Location of Folder Containing Private Key]/[Name of Folder Conataining Private Key]
sudo ssh -v -i key.pem [email protected]

Simply use the following:

sudo chmod 600 [Location of Private Key]/[Name of Private Key]
sudo chmod 700 [Location of Folder Containing Private Key]/[Name of Folder Conataining Private Key]
sudo ssh -v -i key.pem [email protected]
回复 原文
顾冷 2025-01-12 21:18:18

这就是对我有用的(在Mac上)

sudo chmod 600 path_to_your_key.pem 


ssh -i path_to_your_key user@server_ip

希望它有帮助

This is what worked for me (on mac)

sudo chmod 600 path_to_your_key.pem

then :

ssh -i path_to_your_key user@server_ip

Hope it help

回复 原文
仄言 2025-01-12 21:18:18

如果您在 Windows 上使用 WSL

简单的答案就是键入:sudo ssh -i keyfile.pem@ip

不更改文件权限。
发生这种情况的原因
另一个资源

您无法修改 Windows 文件系统上文件的权限
在 Windows 上的 Ubuntu 上的 Bash 上使用 chmod。你必须复制
将私钥添加到您的 WSL 主目录 (~) 并在那里进行操作。

另一方面,sudo 绝对不应该与 ssh 一起使用。使用 sudo 发出的原因是它现在可能以 root 身份执行,这不是执行此操作的正确方法,并且存在巨大的安全风险,因为允许 600/400 之外的任何内容权限违背了使用 SSH 密钥的目的,从而损害了密钥的安全性。

最佳方法是将文件复制到$HOME/.ssh

cp keyfile.pem ~/.ssh

实现此目的的 >sudo chmod 400 keyfile.pem 到它。

然后ssh -i keyfile.pem@ip

In case you are using WSL on windows

The most simple answer is to just type: sudo ssh -i keyfile.pem <user>@ip

without changing the file permissions.
The reason why this happens?
Another resource

You can't modify the permissions of files on Windows's filesystem
using chmod on Bash on Ubuntu on Windows. You'll have to copy the
private key to your WSL home directory (~) and do it there.

On the other hand, sudo should never be utilized with ssh. The reason why issuing with sudo works is that it's now likely being executed as root, and this is not the correct way to do this and is a massive security risk, as Allowing for anything other the 600/400 permissions defeats the purpose of utilizing an SSH key, compromising the security of the key.

The best way to do that is by copying the file to $HOME/.ssh:

cp keyfile.pem ~/.ssh

Doing sudo chmod 400 keyfile.pem to it.

Then ssh -i keyfile.pem <user>@ip.

回复 原文
路还长,别太狂 2025-01-12 21:18:18

除了已接受的答案之外,如果您已完成所有建议的方法,并且您在 Windows 上使用“wsl”ubuntu,则可以将“sudo”附加到您的 ssh 命令,例如

sudo ssh -i xxx.pem [电子邮件受保护]

In addition to the accepted answer, if you have done all the suggested means, and you are using "wsl" ubuntu on windows, you can append "sudo" to your ssh command e.g

sudo ssh -i xxx.pem [email protected]

回复 原文
苏辞 2025-01-12 21:18:18

从另一台 Mac 迁移后我遇到了同样的问题。
而且我的密钥无法连接 github。

我按如下方式重置了权限,现在效果很好。

chmod 700 ~/.ssh     # (drwx------)
cd ~/.ssh            
chmod 644 *.pub      # (-rw-r--r--)
chmod 600 id_rsa     # (-rw-------)

I got same issue after migration from another mac.
And it blocked to connect github by my key.

I reset permission as below and it works well now.

chmod 700 ~/.ssh     # (drwx------)
cd ~/.ssh            
chmod 644 *.pub      # (-rw-r--r--)
chmod 600 id_rsa     # (-rw-------)
回复 原文
血之狂魔 2025-01-12 21:18:18

对于我(使用适用于 Windows 的 Ubuntu 子系统),错误消息更改为:

 Permissions 0555 for 'key.pem' are too open

使用 chmod 400 后。
事实证明,使用 root 作为默认用户就是原因。

使用 cmd 更改此设置:

 ubuntu config --default-user your_username

For me (using the Ubuntu Subsystem for Windows) the error message changed to:

 Permissions 0555 for 'key.pem' are too open

after using chmod 400.
It turns out that using root as a default user was the reason.

Change this using the cmd:

 ubuntu config --default-user your_username
回复 原文
故乡的云 2025-01-12 21:18:18

正如人们所说,在 Windows 中,我只需将 .pem 文件放入 C:\Users\[user]\.ssh\ 即可解决问题。尽管您可以从 bash 或 powershell 提示符执行 chmod 和其他命令行选项,但不起作用。我没有更改 rsa 或其他任何内容。然后,在运行连接时,您必须将 pem 文件的路径放入 .ssh 文件夹中:

ssh -i "C:\Users\[user]\.ssh\ubuntukp01.pem" ubuntu@ec[ipaddress].us-west-2.compute.amazonaws.com

As people have said, in Windows, I just dropped my .pem file in C:\Users\[user]\.ssh\ and that solved it. Although you can do chmod and other command line options from a bash or powershell prompt that didn't work. I didn't change rsa or anything else. Then when running the connection you have to put the path to the pem file in the .ssh folder:

ssh -i "C:\Users\[user]\.ssh\ubuntukp01.pem" ubuntu@ec[ipaddress].us-west-2.compute.amazonaws.com
回复 原文
迷雾森÷林ヴ 2025-01-12 21:18:18

什么对我有用

chgrp 用户文件夹

chmod 600 文件夹

what worked for me

chgrp Users FOLDER

chmod 600 FOLDER

回复 原文
一场信仰旅途 2025-01-12 21:18:18
700  folder
644  id_rsa.pub

这对我有用。

700  folder
644  id_rsa.pub

this works for me.

回复 原文
土豪 2025-01-12 21:18:18

我将自己的所有证书和密钥保存在一个目录中,这适用于 PuTTY 等工具,但我从 scp 命令收到了此 too open 错误消息。我发现 Windows 已经维护了一个 C:\users\ACCOUNTNAME\.ssh 文件夹,该文件夹具有存储 SSH 密钥的适当访问权限。只要您保留内容备份(Windows 有时会在更新过程中删除它),或者在您的用户文件夹中为 ssh 密钥创建您自己的文件夹,这样就可以正常工作,因为只有您和管理员有权访问该父文件夹。

更改 Windows 文件夹的访问权限时要非常小心。我这样做了,Windows 每天都会扫描、读取和写入我的 C: 驱动器上的所有文件,这个过程会导致计算机运行速度降低很多分钟。

I keep all my own certificates and keys in one directory, and this works for tools like PuTTY, but I got this too open error message from the scp command. I discovered that Windows already maintains a C:\users\ACCOUNTNAME\.ssh folder having the proper access rights for storing SSH keys. So long as you keep the contents backed up (Windows sometimes deletes it during updates), or create your own folder for ssh keys in your user folder, this will work fine, as only you and the administrators have access to that parent folder.

Be very careful about changing access rights on Windows folders. I did this, and once a day Windows is scanning, reading, and writing all the files on my C: drive, a process that slows the computer for many minutes.

回复 原文
瑕疵 2025-01-12 21:18:18

这里有有趣的消息。
如果您的私钥过于开放,操作系统足够智能,可以拒绝远程连接。它了解 id_rsa 权限完全开放(任何人都可以读取、编辑)的风险。

{一个人可能会先更换你的锁,然后用他已有的钥匙打开它}

cd ~/.ssh
chmod 400 id_rsa

在多个服务器(非生产)上工作时,我们大多数人都觉得需要使用 ssh 连接远程服务器。一个好主意是使用一段应用程序级代码(可能是使用 jsch 的 java)来在服务器之间创建 ssh 信任。这样连接将是无密码的。如果安装了 perl - 也可以使用 net ssh 模块。

Interesting message here.
Operating Systems are smart enough to deny remote connections if your private key is too open. It understands the risk where permissions for id_rsa is wide open (read, is editable by anyone).

{One may change your lock first and then open it with the keys he already has}

cd ~/.ssh
chmod 400 id_rsa

While working on the multiple servers (non-production), most of us feel need to connect remote server with ssh. A good idea is to have a piece of application level code (may be java using jsch) to create ssh trusts between servers. This way connection will be password-less. Incase, perl is installed - one may use net ssh module too.

回复 原文
阿楠 2025-01-12 21:18:18

就我而言,问题是空格太多。

ssh -i mykey.pem  [email protected]


ssh -i mykey.pem [email protected]

工作得很好。问题在于空格被视为用户名的一部分。

In my case the issue was a whitespace too much.

ssh -i mykey.pem  [email protected]

but

ssh -i mykey.pem [email protected]

worked fine. The problem is that the whitespace is taken as part of the username.

回复 原文
黯淡〆 2025-01-12 21:18:18

我在连接到 AWS 实例时在 Windows 上的 WSL 上遇到此问题。通过切换到经典命令提示符,我的问题得到了解决。您可以尝试切换到不同的终端界面,看看是否有帮助。

I was getting this issue on WSL on Windows while connecting to AWS instance. My issue got resolved by switching to classic Command prompt. You can try switching to a different terminal interface and see if that helps.

回复 原文
若能看破又如何 2025-01-12 21:18:18

另一个技巧是在下载文件夹上执行此操作。
从AWS EC2实例下载私钥后,该文件将位于此文件夹中,然后只需键入命令

ssh-keygen -y -f myprivateKey.pem > mypublicKey.pub

The other trick is to do that on the downloads folder.
After you download the private key from AWS EC2 instance, the file will be in this folder,then simply type the command

ssh-keygen -y -f myprivateKey.pem > mypublicKey.pub
回复 原文
泪眸﹌ 2025-01-12 21:18:18

我正在使用 Windows 10 并尝试通过 SSH 连接到 EC2 实例。不要使用 Windows 版的 Cygwin,而是尝试使用 Git Bash。对密钥执行 chmod 400 后,我能够通过 SSH 进入 EC2 实例,但从 Cygwin 中同样无法正常工作。 Windows 将 .pem 文件视为来自互联网并阻止它,即使禁用继承也不起作用。

我将文件转换为 .ppk 格式,在 PuTTY 中也可以正常工作,但在 Cygwin 中则无法正常工作。

I am using Windows 10 and trying to connect to EC2 instance via SSH. Rather than using Cygwin for Windows, try using Git Bash. After doing chmod 400 for key I am able to SSH into the EC2 instance, but the same is not working for me from Cygwin. Windows treats the .pem file as coming from internet and blocks it, even disabling inheritance doesn't work.

I converted the file to .ppk format and it's working fine from PuTTY also, but it's not working from Cygwin.

回复 原文
心在旅行 2025-01-12 21:18:18

我在使用 Ansible 时遇到了这个错误。为了解决这个问题,我将私钥的权限更改为600。它成功了!

chmod 600 .vagrant/machines/default/virtualbox/private_key

I have came across with this error while I was playing with Ansible. I have changed the permissions of the private key to 600 in order to solve this problem. And it worked!

chmod 600 .vagrant/machines/default/virtualbox/private_key
回复 原文
~没有更多了~

关于作者

作死小能手

暂无简介

文章
评论
25 人气
发私信

相关话题

更多

热门标签

操作系统 程序设计 IT运维 Linux系统管理 JavaScript 服务器应用 solaris C/C++ PHP Shell BSD Vue.js aix Oracle Python HTML 系统管理 HTML5 CSS 前端
更多

推荐作者

微信用户

文章 0 评论 0

小情绪

文章 0 评论 0

追我者格杀勿论

文章 0 评论 0

ゞ记忆︶ㄣ

文章 0 评论 0

笨死的猪

文章 0 评论 0

彭明超

文章 0 评论 0

更多

友情链接

文江博客
    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文