Thursday, 29 December 2016

More on SSH and PKI - Setting the appropriate permissions on your private key files

Following my earlier post: -


it's worth noting that Linux will attempt to help you out by warning you if your private key files have inappropriately weak permissions, as per this example: -

ssh-keygen -y -e -f ~/Downloads/foobar.cer 

which returns: -

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0644 for '/Users/davidhay/Downloads/foobar.cer' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
Load key "/Users/davidhay/Downloads/foobar.cer": bad permissions


This is what the file looks like post-download: -

ls -al ~/Downloads/foobar.cer 

-rw-r--r--@ 1 davidhay  staff  1683 29 Dec 11:08 /Users/davidhay/Downloads/foobar.cer



Once I change it to 400: -

chmod 400 ~/Downloads/foobar.cer 

which means: -



or: -

-r--------@ 1 davidhay  staff  1683 29 Dec 11:08 /Users/davidhay/Downloads/foobar.cer

all is well

ssh-keygen -y -e -f ~/Downloads/foobar.cer 

---- BEGIN SSH2 PUBLIC KEY ----
Comment: "2048-bit RSA, converted by 
dave@mac"
AAAAB3NzaC1yc7EAAAAAAQABAAABAQAAutYt3P7YNNOWG6Ve/xTpeNnkNwAARBzb0jiA7/
A7XT5x0xOVXrwrlefIU6ZFBfR1QLc54xCWPk7j77u4ZfsUE57+rSfFFHAm3T7/H5GVW7Ct
tS7mB/UoiXJtfOo9uNHNSrSOOqAQKAtAAprKzghREhoroIeb65TkzpA6cfAAmcE+ySCTNS
li7sALtAnBwCwFJGQUBKot77Xce1q04uhr9sYknOvRAVmTaihYAeaSgLh+UTAIeJ4/AABP
7+gAyuHK6pPJ9WEyUGHh3HAUio8o3uAx8VoZfnE+Y79y5XIpWT6+xrSG4XskRjPAy+9JsR
bsm3jS3qi08T649/aLL67A
---- END SSH2 PUBLIC KEY ——



No comments: