ssh 密钥登陆的文件权限问题

前因

自以为已经非常熟练的使用ssh密钥对登陆服务器的我，居然也翻车了……

昨天在服务器上开了一个新的用户，却发现无论怎么样也没办法登陆！

后果

今天早上又想起了这个人生污点，查了一下，确定原来是文件权限的问题，必须要给定如下的权限才可以。

之所以忘记了这个设定，是的，我回忆起了一开始用的时候的确是要配置文件权限的。是因为最近用的大多数我都用的默认权限，没有出问题，如下图。

可能版本不同？

调查

这个时候, 如果你想准确且快速的得到答案, 那么就去翻阅以下Linux的ssh手册^[1]:

总结

我在外网, 找到了一个人做的对于常用配置文件的总结性表格^[2]:

+------------------------+-------------------------------------+-------------+-------------+
| Directory or File      | Man Page                            | Recommended | Mandatory   |
|                        |                                     | Permissions | Permissions |
+------------------------+-------------------------------------+-------------+-------------+
| ~/.ssh/                | There is no general requirement to  | 700         |             |
|                        | keep the entire contents of this    |             |             |
|                        | directory secret, but the           |             |             |
|                        | recommended permissions are         |             |             |
|                        | read/write/execute for the user,    |             |             |
|                        | and not accessible by others.       |             |             |
+------------------------+-------------------------------------+-------------+-------------+
| ~/.ssh/authorized_keys | This file is not highly sensitive,  | 600         |             |
|                        | but the recommended permissions are |             |             |
|                        | read/write for the user, and not    |             |             |
|                        | accessible by others                |             |             |
+------------------------+-------------------------------------+-------------+-------------+
| ~/.ssh/config          | Because of the potential for abuse, |             | 600         |
|                        | this file must have strict          |             |             |
|                        | permissions: read/write for the     |             |             |
|                        | user, and not accessible by others. |             |             |
|                        | It may be group-writable provided   |             |             |
|                        | that the group in question contains |             |             |
|                        | only the user.                      |             |             |
+------------------------+-------------------------------------+-------------+-------------+
| ~/.ssh/identity        | These files contain sensitive data  |             | 600         |
| ~/.ssh/id_dsa          | and should be readable by the user  |             |             |
| ~/.ssh/id_rsa          | but not accessible by others        |             |             |
|                        | (read/write/execute)                |             |             |
+------------------------+-------------------------------------+-------------+-------------+
| ~/.ssh/identity.pub    | Contains the public key for         | 644         |             |
| ~/.ssh/id_dsa.pub      | authentication.  These files are    |             |             |
| ~/.ssh/id_rsa.pub      | not sensitive and can (but need     |             |             |
|                        | not) be readable by anyone.         |             |             |
+------------------------+-------------------------------------+-------------+-------------+

参考

1. ^OpenBSD manual page - ssh(1) https://man.openbsd.org/ssh
2. ^Permissions on private key in .ssh folder? https://superuser.com/questions/215504/permissions-on-private-key-in-ssh-folder