当前位置: 美高梅集团手机版 > 美高梅集团 > 正文

连接的时候偶然发现这个错误,rwx分别代表了读

时间:2019-10-02 12:26来源:美高梅集团
今天在使用Git clone项目的时候,发现出现了下面这个问题:   cygwin中配置ssh的过程记录 Cloning into 'ssd-syn'...@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ WARNING: UNPROTECTED PRIVATE KEY FILE!

今天在使用Git clone项目的时候,发现出现了下面这个问题:

 

cygwin中配置ssh的过程记录

Cloning into 'ssd-syn'...@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ WARNING: UNPROTECTED PRIVATE KEY FILE! @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@Permissions 0644 for '/Users/sailfish/.ssh/id_rsa' are too open.It is required that your private key files are NOT accessible by others.This private key will be ignored.Load key "/Users/sailfish/.ssh/id_rsa": bad permissionsgit@ip's password:Permission denied, please try again.git@ip's password:
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: UNPROTECTED PRIVATE KEY @ 
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0664 for '/home/root/.ssh/id_rsa' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
bad permissions: ignore key: /home/root/.ssh/id_rsa
git@172.16.98.152's password: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

 

  • 解决方法:

使用两个ssh工具连接远程服务器,NX和putty,连接的时候偶然发现这个错误,说key文件权限太大,估计是key文件的属性被改的问题;
后来上网查了,把权限改成600即可

第一步:配置ssh-host-config

chmod  600  /home/xiaoqiang.he/.ssh/*

[email protected] /bin

cd ~/.sshchmod 700 id_rsa

$ ssh-host-config

  • 最后的权限列表

    图片 1Paste_Image.png

  • 问题思考虽然解决了问题,但是还是不知道是什么原因导致的,rwx分别代表了读、写、执行权限,chmod 700只是添加了x的执行权限,那么id_rsa是什么文件类型?在网上没有找到答案,个人认为这个应该是一个可执行的文件,作为一个ssh连接的密钥存储的文件,认证的时候应该是需要执行的,有了解的同学解释一下。

  • 贴下在stackoverflow答案

[admin@ip-localhost ~]$ 
[admin@ip-localhost ~]$ !scp
scp -i key/admin.pem  bak.tar.gz  admin@192.168.1.200:/ 
ssh: connect to host 192.168.1.200 port 22: Connection timed out    //此处报错是因为firewall没有accept端口
lost connection   
[admin@ip-localhost ~]$ scp -i key/admin.pem  bak.tar.gz  admin@192.168.1.100:/home/admin
The authenticity of host '192.168.1.100 (192.168.1.100)' can't be established.
ECDSA key fingerprint is 55:46:d4:c5:8e:56:fa:87:fa:34:bc:d8:8a:5d:bb:8a.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.1.100' (ECDSA) to the list of known hosts.
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0664 for 'key/admin.pem' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
bad permissions: ignore key: key/admin.pem
Permission denied (publickey).
lost connection
[admin@ip-localhost ~]$ ll key/admin.pem 
-rw-rw-r-- 1 admin admin 1692 Dec  6 11:08 key/admin.pem
[admin@ip-localhost ~]$ 
[admin@ip-localhost ~]$ 
[admin@ip-localhost ~]$ chmod 600 key/admin.pem
[admin@ip-localhost ~]$ 
[admin@ip-localhost ~]$ 
[admin@ip-localhost ~]$ 
[admin@ip-localhost ~]$ scp -i key/admin.pem  bak.tar.gz  admin@192.168.1.100:/home/admin
bak.tar.gz                                                                                                                                                                         100% 1016MB 112.9MB/s   00:09    
[admin@ip-localhost ~]$ 

 

地址:

*** Info: Generating /etc/ssh_host_key

You changed the permissions on the whole directory, which I agree with Splash is a bad idea. If you can remember what the original permissions for the directory are, I would try to set them back to that and then do the following

Below is what I used and it worked. Source was ec2 and target was home machine.

*** Info: Generating /etc/ssh_host_rsa_key

cd ~/.sshchmod 700 id_rsa
 sudo rsync  -azvv -e "ssh -i /home/ubuntu/key-to-ec2.pem" ec2-user@xx.xxx.xxx.xx:/home/ec2-user/source/ /home/ubuntu/target/

*** Info: Generating /etc/ssh_host_dsa_key

inside the .ssh folder. That will set the id_rsa file to rwx (read, write, execute) for the owner only, and zero access for everyone else.If you can't remember what the original settings are, add a new user and create a set of SSH keys for that user, thus creating a new .ssh folder which will have default permissions. You can use that new .ssh folder as the reference for permissions to reset your .ssh folder and files to.If that doesn't work, I would try doing an uninstall of msysgit, deleting ALL .ssh folders on the computer (just for safe measure), then reinstalling msysgit with your desired settings and try starting over completely (though I think you told me you tried this already).Edited: Also just found this link via Google -- Fixing "WARNING: UNPROTECTED PRIVATE KEY FILE!" on Linux While it's targeted at linux, it might help since we're talking liunx permissions and such.

This worked for me:

*** Info: Generating /etc/ssh_host_ecdsa_key

nohup rsync -zravu --partial --progress  -e "ssh -i xxxx.pem" ubuntu@xx.xx.xx.xx:/mnt/data   /mnt2/ &

*** Info: Creating default /etc/ssh_config file

 

*** Info: Creating default /etc/sshd_config file

After suffering a little bit, I believe this will help:

*** Info: Privilege separation is set to yes by default since OpenSSH 3.3.

I am using the below command and it has worked without problems:

*** Info: However, this requires a non-privileged account called 'sshd'.

rsync -av --progress -e ssh /folder1/folder2/* root@xxx.xxx.xxx.xxx:/folder1/folder2

*** Info: For more info on privilege separation read /usr/share/doc/openssh/README.privsep.

First consideration:

*** Query: Should privilege separation be used? (yes/no) no

Use the --rsync-path

*** Info: Updating /etc/sshd_config file

I prefer in a shell script:

*** Info: Creating default /etc/inetd.d/sshd-inetd file

#!/bin/bash

RSYNC = /usr/bin/rsync

$RSYNC [options] [source] [destination]

*** Info: Updated /etc/inetd.d/sshd-inetd

Second consideration:

 

Create a publick key by command below for communication between the servers in question. She will not be the same as provided by Amazon.

*** Query: Do you want to install sshd as a service?

ssh-keygen -t rsa

*** Query: (Say "no" if it is already installed as a service) (yes/no) yes

Do not forget to enable permission on the target server in /etc/ssh/sshd_config (UBUNTU and CENTOS).

*** Query: Enter the value of CYGWIN for the daemon: [] ntsec

Sync files from one EC2 instance to another

*** Info: On Windows Server 2003, Windows Vista, and above, the

*** Info: SYSTEM account cannot setuid to other users -- a capability

Use -v option for verbose and better identify errors.

*** Info: sshd requires.  You need to have or to create a privileged

Third Consideration

*** Info: account.  This script will help you do so.

If both servers are on EC2 make a restraint by security group

 

In the security group Server Destination:

*** Info: You appear to be running Windows XP 64bit, Windows 2003 Server,

inbound: Source / TCP port 22 / IP Security (or group name) of the source server

*** Info: or later.  On these systems, it's not possible to use the LocalSystem

*** Info: account for services that can change the user id without an

*** Info: explicit password (such as passwordless logins [e.g. public key

*** Info: authentication] via sshd).

No, not correct.
As it turns out, this is something I do regularly with ssh, as well as both sftp and rsync, as part of my backup and load balancing approaches for Ask Leo! Let me walk you through what I’ve done.

 

SSH Configuration
To begin with, most of this relies on a the configuration of sshd, the SSH (Secure SHell) daemon running on the server you’re attempting to connect to (we’ll call it “server2.com”). Check the “sshd_config” on that server, typically in /etc/ssh. In some cases, these settings are not always present or set the way we need:
RSAAuthentication yes
PubkeyAuthentication yes
This enables the public/private key authentication mechanism we’re about to use.
Public/Private Key Generation
We’ll generate the keypair on the Linux box that you want to connect from. We’ll call that “server1.com”. It’s that box on which you plan to run ssh, sftp or rsync.
ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/user1/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in .ssh/id_rsa.
Your public key has been saved in .ssh/id_rsa.pub.
The key fingerprint is:
c1:21:e 3:01:26:0d:f7:ec:52:0e:0c:90:9b:6e:d8:47 user1@server1.com
What I’ve done with the command above is generated a public/private key pair. I responded to each prompt by hitting Return.

…mere possession of the private key is sufficient to gain access to what ever resources into which you’ve placed the corresponding public key.
Note that I did NOT enter a passphrase. That’s kind of important, because if you do enter a passphrase you’ll need to enter it in order to use the private key. Since we’re looking for an automated solution, the private key must not have a passphrase.
This is important: by not placing a passphrase on your private key, the security implication is that mere possession of the private key is sufficient to gain access to what ever resources into which you’ve placed the corresponding public key. Safeguard your private key.
My private key was placed in /home/user1/.ssh/id_rsa. This needs to be kept secure, because of the security implication above, but also needs to be available to the process attempting to make an ssh, sftp or rsync connection. If these tools are run under the ‘user1’ account, the tools will automatically look in the “.ssh” directory and I won’t need to specify the private key location. Otherwise, command line options will need to point to the right place and key.
My public key is in /home/user1/.ssh/id_rsa.pub. This is the key that gets distributed to those places that want to grant you access.
Planting the public key
On the “remote” server, server2.com, pick an account – ANY account – that you want to connect as. In that account’s home directory, create a “.ssh” subdirectory, and in that directory create a new text file called “authorized_keys”. If it already exists, that’s fine, use the existing file.
If you create the file and/or directory, I recommend that the directory be chmod 700, and the file 600. In other words, only the owner can access the directory, and the file within it.
Add to that file the contents of the id_rsa.pub file created above. That would be a *single line* that looks something like this:
ssh-rsa <lots of characters> user1@server1.com
Once saved anyone in possession of the private key that matches this public key can now login as this account.
sftp
I planted the public key in the account user2 on server2.com. So now, on my server, server1.com, logged in as user1, and where the private key is stored as described above, an sftp session looks like this:
sftp user2@server2.com
“user2” specifies the remote account on server2.com to login as.
That’s it. Magic happens, and I’m authenticated. That magic? The private key is matched to the public key, which indicates you are authorized to login to that account. An sftp session is born. No interactivity required.
(IF you did enter a passphrase on the private key, you would have been prompted to enter it here. NOTE that this is the passphrase to unlock the private key, which is local. It has nothing to do with any passwords on the remote site.)
rsync
For file copy operations, rsync rocks. It does things like intelligent compression, copy only if needed, and a whole host of other operations.
So, assuming all the keys are set up as above, this rsync command copies a file from the local machine to the remote:
rsync -e ssh file user2@server2.com:/home/user2/
Local file “file” is copied to the remote /home/user2/file after logging in as “user2” using ssh as the transport (hence the “-e ssh” option), and with that, using the private/public key pair we created for authentication. Again, no interactivity required.
Rsync supports an incredibly rich set of options for recursion, compression attribute retention, date/time stamp and so on. Well worth a look see if you’re copying anything of any significant volume.
SSH
Since we’ve gone this far, it’s worth noting that SSH itself just works as well to open up a remote shell once the keys are in place. Example:
ssh user2@server2.com
and *poof* – a remote shell on server2, logged in as user2.

*** Info: If you want to enable that functionality, it's required to create

*** Info: a new account with special privileges (unless a similar account

 

*** Info: already exists). This account is then used to run these special

*** Info: servers.

 

*** Info: Note that creating a new user requires that the current account

*** Info: have Administrator privileges itself.

 

*** Info: No privileged account could be found.

 

*** Info: This script plans to use 'cyg_server'.

*** Info: 'cyg_server' will only be used by registered services.

*** Query: Do you want to use a different name? (yes/no) no

编辑:美高梅集团 本文来源:连接的时候偶然发现这个错误,rwx分别代表了读

关键词: