LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Server (http://www.linuxquestions.org/questions/linux-server-73/)
-   -   WARNING: UNPROTECTED PRIVATE KEY FILE! -> override ? (http://www.linuxquestions.org/questions/linux-server-73/warning-unprotected-private-key-file-override-839057/)

dlublink 10-19-2010 09:38 AM

WARNING: UNPROTECTED PRIVATE KEY FILE! -> override ?
 
Hello,

I get the following message :

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: UNPROTECTED PRIVATE KEY FILE! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0755 for '/media/KINGSTON/david-private.key' are too open.
It is recommended that your private key files are NOT accessible by others.
This private key will be ignored.
bad permissions: ignore key: /media/KINGSTON/david-private.key
Permission denied (publickey).
lost connection


I want to connect anyway, I have the key on my usb key and it is protected using a password. How can I force scp and ssh to use the key anyway ?

I know it's possible, because when running as root it uses the key despite the bad permissions.

I am looking for a command line parameter as I move around between three different computers.

Thanks,

David

AlucardZero 10-19-2010 09:39 AM

Why can't you
Code:

chmod go-rxw /media/KINGSTON/david-private.key
?

dlublink 10-19-2010 10:44 AM

The filesystem used does not support permissions. It is vFAT.

/dev/sdb1 on /media/KINGSTON type vfat (rw,nosuid,nodev,uhelper=udisks,uid=1000,gid=1000,shortname=mixed,dmask=0077,utf8=1,flush)

David

dlublink 10-19-2010 02:04 PM

I had a look at the source code and found this :

if ((st.st_uid == getuid()) && (st.st_mode & 077) != 0) {
error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
error("@ WARNING: UNPROTECTED PRIVATE KEY FILE! @");
error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
error("Permissions 0%3.3o for '%s' are too open.",
(u_int)st.st_mode & 0777, filename);
error("It is recommended that your private key files are NOT accessible by others.");
error("This private key will be ignored.");
return 0;
}

The error message is incorrect, this is not a recommendation, it is a requirement. There is no way to bypass this using SSH.

I'll open a ticket.

David

dlublink 10-20-2010 11:42 AM

So there is no work around for a vfat usb key that I found, so I repartitioned the usb disk. The key is a "512 mb" usb key.

I partitioned the usb key in two parts. A 498mb partition and a 2mb partition. The 2mb partition is ext2 which supports chmod 400 on the private key.

I don't like the solution, but it's my only choice.

David

Intangir2 02-02-2011 11:50 AM

another solution is to mount the usb stick as another user (like nobody) but make sure you have group write for your group

the trick is that hardcoded check tests if its your user first, if its not your user it doesnt worry about the group settings (but still worries about others settings)

so i have my keys flagged as 'nobody, group:mygroup, 660
and it works

leksey 02-22-2011 05:10 AM

private key on fat partition
 
Quote:

Originally Posted by dlublink (Post 4133724)
So there is no work around for a vfat usb key that I found, so I repartitioned the usb disk. The key is a "512 mb" usb key.

I partitioned the usb key in two parts. A 498mb partition and a 2mb partition. The 2mb partition is ext2 which supports chmod 400 on the private key.

I don't like the solution, but it's my only choice.

David

mount_msdosfs -u 1001 -m 700 /dev/da0s1 /mnt/

id
uid=1001(leksey)

ls -alhfog
-rwx------ 1 leksey wheel - 736B Feb 22 13:06 privatekey

see also glyph.twistedmatrix.com/2009/02/using-ssh-keys-on-usb-drive-on-macos-x.html

ygini 05-27-2011 02:47 PM

Quote:

Originally Posted by dlublink (Post 4133724)
So there is no work around for a vfat usb key that I found, so I repartitioned the usb disk. The key is a "512 mb" usb key.

I partitioned the usb key in two parts. A 498mb partition and a 2mb partition. The 2mb partition is ext2 which supports chmod 400 on the private key.

I don't like the solution, but it's my only choice.

David

Hello David,

I'm looking for the exact same setting, a biometric USB key with my different SSH config and private key, and of course I've the same problem.

I would avoid the second partition for one reason, I want to be able to use my key on all kind of computerů

So, I'm wondering if you have find an other solution ?

Yoann


All times are GMT -5. The time now is 11:16 PM.