SSH 服务无法启动:私钥权限过于开放

SSH 主机私钥权限过宽 导致 sshd 拒绝加载密钥,从而无法启动服务。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
Aug 14 22:32:00 localhost.localdomain systemd[1]: sshd.service: Scheduled restart job, restart counter is at 57.
Aug 14 22:32:00 localhost.localdomain systemd[1]: Stopped target sshd-keygen.target.
Aug 14 22:32:00 localhost.localdomain systemd[1]: Stopping sshd-keygen.target...
Aug 14 22:32:00 localhost.localdomain systemd[1]: Reached target sshd-keygen.target.
Aug 14 22:32:00 localhost.localdomain sshd[46837]: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Aug 14 22:32:00 localhost.localdomain sshd[46837]: @         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
Aug 14 22:32:00 localhost.localdomain sshd[46837]: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Aug 14 22:32:00 localhost.localdomain sshd[46837]: Permissions 0777 for '/etc/ssh/ssh_host_rsa_key' are too open.
Aug 14 22:32:00 localhost.localdomain sshd[46837]: It is required that your private key files are NOT accessible by others.
Aug 14 22:32:00 localhost.localdomain sshd[46837]: This private key will be ignored.
Aug 14 22:32:00 localhost.localdomain sshd[46837]: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Aug 14 22:32:00 localhost.localdomain sshd[46837]: @         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
Aug 14 22:32:00 localhost.localdomain sshd[46837]: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Aug 14 22:32:00 localhost.localdomain sshd[46837]: Permissions 0777 for '/etc/ssh/ssh_host_ecdsa_key' are too open.
Aug 14 22:32:00 localhost.localdomain sshd[46837]: It is required that your private key files are NOT accessible by others.
Aug 14 22:32:00 localhost.localdomain sshd[46837]: This private key will be ignored.
Aug 14 22:32:00 localhost.localdomain sshd[46837]: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Aug 14 22:32:00 localhost.localdomain sshd[46837]: @         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
Aug 14 22:32:00 localhost.localdomain sshd[46837]: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Aug 14 22:32:00 localhost.localdomain sshd[46837]: Permissions 0777 for '/etc/ssh/ssh_host_ed25519_key' are too open.
Aug 14 22:32:00 localhost.localdomain sshd[46837]: It is required that your private key files are NOT accessible by others.
Aug 14 22:32:00 localhost.localdomain sshd[46837]: This private key will be ignored.
Aug 14 22:32:00 localhost.localdomain sshd[46837]: sshd: no hostkeys available -- exiting.
Aug 14 22:32:00 localhost.localdomain systemd[1]: sshd.service: Main process exited, code=exited, status=1/FAILURE
Aug 14 22:32:00 localhost.localdomain systemd[1]: sshd.service: Failed with result 'exit-code'.

问题原因

  • /etc/ssh/ssh_host_rsa_keyssh_host_ecdsa_keyssh_host_ed25519_key 的权限是 0777(所有用户可读)。
  • sshd 要求 主机私钥文件必须仅 root 可读写0600 权限)。

解决方法

  1. 修正权限

    1
    sudo chmod 600 /etc/ssh/ssh_host_*_key

  2. 确保属主是 root

    1
    sudo chown root:root /etc/ssh/ssh_host_*_key

  3. 重启 SSH 服务

    1
    sudo systemctl restart sshd

  4. 验证状态

    1
    sudo systemctl status sshd

额外建议

  • 如果密钥文件被错误权限暴露过(比如在系统运行时很久都是 0777),出于安全考虑,建议重新生成:

    1
    2
    3
    sudo rm /etc/ssh/ssh_host_*_key*
    sudo ssh-keygen -A
    sudo systemctl restart sshd

  • 这样可以确保不会有泄露风险。