使用 Git GUI 或 ssh-keygen 的 SSH 私钥权限过于开放
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/1556119/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
SSH Private Key Permissions using Git GUI or ssh-keygen are too open
提问by Ben Scheirman
Recently I've been unable to clone or push to github, and I'm trying to find the root cause.
最近我一直无法克隆或推送到github,我正在努力寻找根本原因。
This is on windows
这是在窗户上
I have cygwin + git as well as msysgit.
我有 cygwin + git 以及 msysgit。
Msysgit was installed with the following options:
Msysgit 是使用以下选项安装的:
- OpenSSH
- Use Git from Windows Command Prompt
- 开放式SSH
- 从 Windows 命令提示符使用 Git
That gives me 4 environments to try to use git in:
这给了我 4 个尝试在以下环境中使用 git 的环境:
- Windows cmd prompt
- Powershell
- Git Bash
- Cygwin
- Windows cmd 提示符
- 电源外壳
- git bash
- 赛格温
Somehow I've managed to get myself into a position where when I try to clone a repository using msysgit, cmd.exe, or Powershell, I get the following error:
不知何故,我设法让自己处于一个位置,当我尝试使用 msysgit、cmd.exe 或 Powershell 克隆存储库时,出现以下错误:
> Initialized empty Git repository in
> C:/sandbox/SomeProject/.git/
> @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
> @ WARNING: UNPROTECTED PRIVATE KEY FILE! @
> @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
> Permissions 0644 for
> '/c/Users/Ben/.ssh/id_rsa' are too
> open. It is recommended that your
> private key files are NOT accessible
> by others. This private key will be
> ignored. bad permissions: ignore key:
> /c/Users/Ben/.ssh/id_rsa Permission
> denied (publickey). fatal: The remote
> end hung up unexpectedly
This is using the .ssh folder in my c:\users\ben\ folder, which is what is used by msysgit. I suspect cygwin works because the .ssh folder is located elsewhere, but I'm not sure why
这是使用我的 c:\users\ben\ 文件夹中的 .ssh 文件夹,这是 msysgit 使用的。我怀疑 cygwin 可以工作,因为 .ssh 文件夹位于其他地方,但我不确定为什么
In Git Bash, I check the permissions:
在 Git Bash 中,我检查了权限:
$ ls -l -a ~/.ssh
Which gives me:
这给了我:
drwxr-xr-x 2 Ben Administ 0 Oct 12 13:09 .
drwxr-xr-x 34 Ben Administ 8192 Oct 12 13:15 ..
-rw-r--r-- 1 Ben Administ 1743 Oct 12 12:36 id_rsa
-rw-r--r-- 1 Ben Administ 399 Oct 12 12:36 id_rsa.pub
-rw-r--r-- 1 Ben Administ 407 Oct 12 13:09 known_hosts
These permissions are apparently too relaxed. How they got this way, I have no idea.
这些权限显然太宽松了。他们是怎么走到这一步的,我不知道。
I can try to change them...
我可以尝试改变它们...
$ chmod -v -R 600 ~/.ssh
which tells me:
这告诉我:
mode of `.ssh' changed to 0600 (rw-------)
mode of `.ssh/id_rsa' changed to 0600 (rw-------)
mode of `.ssh/id_rsa.pub' changed to 0600 (rw-------)
mode of `.ssh/known_hosts' changed to 0600 (rw-------)
But it seems to have no effect. I still get the same error, and doing
但是好像没什么效果。我仍然遇到同样的错误,并且正在做
$ ls -l -a ~/.ssh
yields the same permissions as before.
产生与以前相同的权限。
UPDATE:
更新:
I tried to fix the permissions to those files in cygwin, and cygwin reports their permissions correctly, gitbash does not: alt text http://cdn.cloudfiles.mosso.com/c54102/app7962031255448924.jpg
我试图在 cygwin 中修复这些文件的权限,并且 cygwin 正确报告了它们的权限,gitbash 没有: alt text http://cdn.cloudfiles.mosso.com/c54102/app7962031255448924.jpg
Any ideas on how I can really fix these permissions?
关于如何真正修复这些权限的任何想法?
回答by Koby
You changed the permissions on the whole directory, which I agree with Splash is a bad idea. If you can remember what the original permissions for the directory are, I would try to set them back to that and then do the following
您更改了整个目录的权限,我同意 Splash 是个坏主意。如果您还记得目录的原始权限是什么,我会尝试将它们重新设置为该权限,然后执行以下操作
cd ~/.ssh
chmod 700 id_rsa
inside the .ssh folder. That will set the id_rsa file to rwx (read, write, execute) for the owner (you) only, and zero access for everyone else.
.ssh 文件夹内。这会将 id_rsa 文件设置为仅所有者(您)的 rwx(读取、写入、执行),而其他所有人的访问权限为零。
If you can't remember what the original settings are, add a new user and create a set of SSH keys for that user, thus creating a new .ssh folder which will have default permissions. You can use that new .ssh folder as the reference for permissions to reset your .ssh folder and files to.
如果您不记得原始设置是什么,请添加一个新用户并为该用户创建一组 SSH 密钥,从而创建一个具有默认权限的新 .ssh 文件夹。您可以使用该新 .ssh 文件夹作为将 .ssh 文件夹和文件重置为的权限参考。
If that doesn't work, I would try doing an uninstall of msysgit, deleting ALL .ssh folders on the computer (just for safe measure), then reinstalling msysgit with your desired settings and try starting over completely (though I think you told me you tried this already).
如果这不起作用,我会尝试卸载 msysgit,删除计算机上的所有 .ssh 文件夹(只是为了安全措施),然后使用您想要的设置重新安装 msysgit 并尝试完全重新开始(尽管我认为您告诉我你已经试过了)。
Edited: Also just found this link via Google -- Fixing "WARNING: UNPROTECTED PRIVATE KEY FILE!" on LinuxWhile it's targeted at linux, it might help since we're talking liunx permissions and such.
编辑:也刚刚通过谷歌找到这个链接——修复“警告:未受保护的私钥文件!” 在 Linux 上虽然它是针对 linux 的,但它可能会有所帮助,因为我们正在谈论 liunx 权限等。
回答by kittikun
There is a bug with cygwin's chmod, please refer to:
cygwin的chmod有一个bug,请参考:
https://superuser.com/questions/397288/using-cygwin-in-windows-8-chmod-600-does-not-work-as-expected
https://superuser.com/questions/397288/using-cygwin-in-windows-8-chmod-600-does-not-work-as-expected
chgrp -Rv Users ~/.ssh/*
chmod -vR 600 ~/.ssh/id_rsa
回答by Tuncay G?ncüo?lu
For *nix systems, the obvious fix is chmod 600 id_rsaofc, but on windows 7 I had to hit my head against the wall for a while, but then I found the magic solution:
对于 *nix 系统,明显的解决方法是chmod 600 id_rsaofc,但在 Windows 7 上,我不得不用头撞墙一段时间,但后来我找到了神奇的解决方案:
go to My Computer / Right Click / Properties / Advanced System Settings / Environment Variables and DELETEthe variable (possibly from both system and user environment):
转到我的电脑/右键单击/属性/高级系统设置/环境变量并删除变量(可能从系统和用户环境中删除):
CYGWIN
长城
Basically, its a flaw in mingw32 used by git windows binary, seeing all files 644 and all folders 755 always. Removing the environment variable does not change that behaviour, but it appearantly tells ssh.exe to ignore the problem. If you do set proper permissions to your id_rsa through explorers security settings (there really is no need to have any other user in there than your own, not "everyone", not "administrators", not "system". none. just you), you'll still be secure.
基本上,它是 git windows 二进制文件使用的 mingw32 中的一个缺陷,总是看到所有文件 644 和所有文件夹 755。删除环境变量不会改变该行为,但它似乎告诉 ssh.exe 忽略该问题。如果您确实通过资源管理器安全设置为您的 id_rsa 设置了适当的权限(除了您自己的用户之外,实际上不需要任何其他用户,不是“所有人”,不是“管理员”,不是“系统”。没有。只有你) ,您仍然会很安全。
Now, why mingw32, a different system than cygwin, would make anyuse of the CYGWIN environment variable, is beyond me. Looks like a bug to me.
现在,为什么mingw32的,不同的系统的cygwin,将使任何使用Cygwin环境变量的,我是无法理解。对我来说看起来像一个错误。
回答by Steve Clay
I'm on XP and this allowed Git Bash to communicate w/ Github (after much frustration):
我在 XP 上,这允许 Git Bash 与 Github 进行通信(在经历了很多挫折之后):
- copy
c:\cygwin\bin\cyg*(~50 files) toc:\Program Files\Git\bin\ - copy
c:\cygwin\bin\ssh.exetoc:\Program Files\Git\bin\(overwriting) Create the file
c:\Documents and Settings\<username>\.ssh\configcontaining:Host github.com User git Hostname github.com PreferredAuthentications publickey IdentityFile "/cygdrive/c/Documents and Settings/<username>/.ssh/id_rsa"(optional) Use
ssh -v git@githubto see the connection debugged.- Try a push!
- 复制
c:\cygwin\bin\cyg*(约 50 个文件)到c:\Program Files\Git\bin\ - 复制
c:\cygwin\bin\ssh.exe到c:\Program Files\Git\bin\(覆盖) 创建
c:\Documents and Settings\<username>\.ssh\config包含以下内容的文件:Host github.com User git Hostname github.com PreferredAuthentications publickey IdentityFile "/cygdrive/c/Documents and Settings/<username>/.ssh/id_rsa"(可选)
ssh -v git@github用于查看已调试的连接。- 试试推!
Background: The general problem is a combination of these two:
背景:一般问题是这两个的组合:
- BUG: mingw32 sees all files as 644 (other/group-readable), and nothing I tried in mingw32, cygwin, or Windows could fix it.
- mingw32's SSH version won't allow that for private keys (generally a good policy in a server).
- BUG:mingw32 将所有文件视为 644(其他/组可读),我在 mingw32、cygwin 或 Windows 中尝试过的任何文件都无法修复它。
- mingw32 的 SSH 版本不允许私钥(通常在服务器中是一个很好的策略)。
回答by Brett Pennings
For Windows 7 using the Git found here(it uses MinGW, not Cygwin):
对于使用此处找到的 Git 的 Windows 7 (它使用 MinGW,而不是 Cygwin):
- In the windows explorer, right-click your id_rsa file and select Properties
- Select the Security tab and click Edit...
- Check the Deny box next to Full Control for all groups EXCEPT Administrators
- Retry your Git command
- 在 Windows 资源管理器中,右键单击您的 id_rsa 文件并选择属性
- 选择安全选项卡,然后单击编辑...
- 选中所有组的完全控制旁边的拒绝框,除了管理员
- 重试您的 Git 命令
回答by diannaL
OK so here is how I actually forced the change on my Windows files regarding the permissions themselves on Win7: Find your ssh key in windows explorer: C:\Users[your_user_name_here].ssh\id_rsa
好的,这就是我实际上如何强制更改我的 Windows 文件中关于 Win7 本身的权限:在 Windows 资源管理器中找到您的 ssh 密钥:C:\Users[your_user_name_here].ssh\id_rsa
Right-click on file>Properties>Security tab>Advanced button>Change permissions
右键单击文件>属性>安全选项卡>高级按钮>更改权限
Now remove everyone that is not actually your username. This includes Administrator and System users. At this point you may get a dialogue about inheriting permissions- choose the option that DOESN'T inherit- since we only want to change this file.
现在删除所有实际上不是您的用户名的人。这包括管理员和系统用户。此时你可能会看到一个关于继承权限的对话框——选择不继承的选项——因为我们只想改变这个文件。
Click OK and save till done.
单击确定并保存直到完成。
I fought with this for days because my windows would not change the file permissions from the command line. This way it is also ACTUALLY done- instead of using exciting work arounds that make can have odd consequences.
我为此奋斗了好几天,因为我的 Windows 不会从命令行更改文件权限。通过这种方式,它实际上也完成了 - 而不是使用令人兴奋的变通方法,这可能会产生奇怪的后果。
回答by alex.m
Changing file permissions from Properties, disabling inheritance and running chmod 400 didn't work for me. The permissions for my private key file were:
从属性更改文件权限、禁用继承和运行 chmod 400 对我不起作用。我的私钥文件的权限是:
-r--r----- 1 alex None 1766 Mar 8 13:04 /home/alex/.ssh/id_rsa
-r--r----- 1 alex 无 1766 年 3 月 8 日 13:04 /home/alex/.ssh/id_rsa
Then I noticed the group was None, so I just ran
然后我注意到这个组是None,所以我就跑了
chown alex:Administrators ~/.ssh/id_rsa
chown alex:管理员 ~/.ssh/id_rsa
Then I could successfully change the permissions with chmod 400, and run a git push.
然后我可以使用 chmod 400 成功更改权限,并运行 git push。
回答by Andrew
FOR MAC USERS:
对于 MAC 用户:
Change the settings of your key pair file by typing this in the terminal:
通过在终端中键入以下内容来更改密钥对文件的设置:
chmod og-r *filename.pem*
(make sure you are in the correct directory, or path filename in the command correctly).
(确保您在正确的目录中,或在命令中正确使用路径文件名)。
回答by CristianOrellanaBak
I solve it running:
我解决它运行:
chmod 400 ~/.ssh/id_rsa
I hope to help. Good luck.
我希望有所帮助。祝你好运。
回答by daramarak
I had the same problem on Windows XP just recently. I tried to chmod 700 on my ~/.ssh/id_rsa file but it did not seem to work. When I had a look at the permissions using ls -l on the ~/.ssh/id_rsa I could see that my effective permissions still was 644.
我最近在 Windows XP 上遇到了同样的问题。我试图在我的 ~/.ssh/id_rsa 文件上 chmod 700 但它似乎没有工作。当我在 ~/.ssh/id_rsa 上使用 ls -l 查看权限时,我可以看到我的有效权限仍然是 644。
Then I remembered that windows permissions also inherit permissions from the folders, and the folder was still open to everyone. A solution could be to set permissions for the folder as well, but I think a better way would be to tell the system to ignore inheritance for this file. This can be done using the advanced option on the security tab in the properties of the file, and unchecking "inherit from parent permissions..."
然后我想起来windows权限也是从文件夹继承权限的,文件夹还是对大家开放的。解决方案也可以是为文件夹设置权限,但我认为更好的方法是告诉系统忽略此文件的继承。这可以使用文件属性中安全选项卡上的高级选项完成,并取消选中“从父权限继承...”
This might be helpful for others with the same problem.
这可能对遇到相同问题的其他人有所帮助。
