Проверим конфигурацию SSH-клиента (разрешения и типы файлов) с помощью настраиваемой Python-утилиты.
Установим ssh-clippie.
python3 -m pip install git+https://github.com/milosz/ssh-clippie.gitDefaulting to user installation because normal site-packages is not writeableCollecting git+https://github.com/milosz/ssh-clippie.gitCloning https://github.com/milosz/ssh-clippie.git to /tmp/pip-req-build-2gxme_8mRunning command git clone --filter=blob:none --quiet https://github.com/milosz/ssh-clippie.git /tmp/pip-req-build-2gxme_8mResolved https://github.com/milosz/ssh-clippie.git to commit 3c422229bcad2b0910ab3640b70b51944f806932Preparing metadata (setup.py) ... doneCollecting click==8.1.7Using cached click-8.1.7-py3-none-any.whl (97 kB)Collecting python-magic==0.4.27Using cached python_magic-0.4.27-py2.py3-none-any.whl (13 kB)Collecting pyyaml==6.0.1Using cached PyYAML-6.0.1-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (705 kB)Building wheels for collected packages: ssh-clippieBuilding wheel for ssh-clippie (setup.py) ... doneCreated wheel for ssh-clippie: filename=ssh_clippie-0.8.4-py3-none-any.whl size=9658 sha256=738e0189b4a5edc1ddbc06982e61befc688be073c8531262e373b2351dea7fbaStored in directory: /tmp/pip-ephem-wheel-cache-6qv6x54j/wheels/e9/ce/d3/37fa80b018c7da2dada78cd45b6ad12ee63a094bdb0e8ab220Successfully built ssh-clippieInstalling collected packages: pyyaml, python-magic, click, ssh-clippieSuccessfully installed click-8.1.7 python-magic-0.4.27 pyyaml-6.0.1 ssh-clippie-0.8.4
Отображение информации об использовании.
ssh-clippieUsage: ssh-clippie [OPTIONS]This script reads permissions definition from YAML file and performs checksagainst user ssh directoryOptions:--verbose Verbose mode--quiet Quiet mode--explain Explain mode--ssh-directory DIRECTORY Home directory [default: /home/milosz/.ssh]--permissions-definition-file FILEPermissions definition YAML file--help Show this message and exit
Отображение файла конфигурации по умолчанию.
cat .local/lib/python3.10/site-packages/ssh_clippie/permissions_definition.yaml
ssh-clippie:
main_directory:
condition: mandatory
type: directory
mode: "700"
description: SSH client configuration directory
file_types:
- private_key
- public_key
files:
- name: known_hosts
condition: optional
type: file
mode: "600"
description: list of host keys known to the user
- name: known_hosts2
condition: not expected
type: file
mode: "600"
description: list of host keys known to the user, backup file
- name: authorized_keys
condition: optional
type: file
mode: "600"
description: public keys that can be used to log in as this user
- name: authorized_keys2
condition: not expected
type: file
mode: "600"
description: public keys that can be used to log in as this user, backup file
- name: config
condition: optional
type: file
mode: "600"
description: user configuration file
- name: environment
condition: optional
type: file
mode: "600"
description: additional environment variables
- name: rc
condition: optional
type: file
mode: "600"
description: executed when the user logs in
- name: config.d
condition: optional
type: directory
mode: "700"
description: configuration snippets
file_types:
- ascii_text
- name: scripts.d
condition: optional
type: directory
mode: "700"
description: additional scripts
file_types:
- executable_script
- name: agent.sock
condition: optional
type: socket
mode: "600"
description: SSH agent socket
types:
private_key:
name: OpenSSH private key
pattern: ".* private key$"
mode: "600"
public_key:
name: OpenSSH public key
pattern: ".* public key$"
mode: "600"
executable_script:
name: executable script
pattern: ".*script.*executable.*"
mode: "700"
ascii_text:
name: ascii text file
pattern: ".*ASCII text.*"
mode: "600"
Разберем и объясним приведенные выше правила.
ssh-clippie --explainMain directory should have permissions set to 700 and can contain OpenSSH private key, OpenSSH public key.known_hosts (list of host keys known to the user) file which is optional and should have permissions set to 600known_hosts2 (list of host keys known to the user, backup file) file which is not expectedauthorized_keys (public keys that can be used to log in as this user) file which is optional and should have permissions set to 600authorized_keys2 (public keys that can be used to log in as this user, backup file) file which is not expectedconfig (user configuration file) file which is optional and should have permissions set to 600environment (additional environment variables) file which is optional and should have permissions set to 600rc (executed when the user logs in) file which is optional and should have permissions set to 600config.d (configuration snippets) directory which is optional and should have permissions set to 700 and can contain ascii text file.scripts.d (additional scripts) directory which is optional and should have permissions set to 700 and can contain executable script.agent.sock (SSH agent socket) socket which is optional and should have permissions set to 600OpenSSH private key matching file type ".* private key$" should have permissions set to 600.OpenSSH public key matching file type ".* public key$" should have permissions set to 600.executable script matching file type ".*script.*executable.*" should have permissions set to 700.ascii text file matching file type ".*ASCII text.*" should have permissions set to 600.
Выполним подробную проверку.
ssh-clippie --verboseChecking /home/milosz/.ssh directoryfile /home/milosz/.ssh/known_hosts2 should not existsocket /home/milosz/.ssh/agent.sock permission are 755 should be 600Failed
Это простое решение позволяет выполнять базовые тесты на соответствие и выявлять проблемы, связанные с правами.
см. также:
- 🔐 Как перечислить все подключенные сессии SSH
- 🐧 Как назначить IP-адрес удаленным Linux-системам через SSH
- 🔐 Как получить открытый ключ из закрытого ключа OpenSSH
- 🔐 autossh: Запуск, мониторинг и перезапуск SSH-соединений