Hello,

I get the following message :

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: UNPROTECTED PRIVATE KEY FILE! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0755 for '/media/KINGSTON/david-private.key' are too open.
It is recommended that your private key files are NOT accessible by others.
This private key will be ignored.
bad permissions: ignore key: /media/KINGSTON/david-private.key
Permission denied (publickey).
lost connection


I want to connect anyway, I have the key on my usb key and it is protected using a password. How can I force scp and ssh to use the key anyway ?

I know it's possible, because when running as root it uses the key despite the bad permissions.

I am looking for a command line parameter as I move around between three different computers.

Thanks,

David

Why can't you?

The filesystem used does not support permissions. It is vFAT.

/dev/sdb1 on /media/KINGSTON type vfat (rw,nosuid,nodev,uhelper=udisks,uid=1000,gid=1000,shortname=mixed,dmask=0077,utf8=1,flush)

David

I had a look at the source code and found this :

if ((st.st_uid == getuid()) && (st.st_mode & 077) != 0) {
error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
error("@ WARNING: UNPROTECTED PRIVATE KEY FILE! @");
error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
error("Permissions 0%3.3o for '%s' are too open.",
(u_int)st.st_mode & 0777, filename);
error("It is recommended that your private key files are NOT accessible by others.");
error("This private key will be ignored.");
return 0;
}

The error message is incorrect, this is not a recommendation, it is a requirement. There is no way to bypass this using SSH.

I'll open a ticket.

David

So there is no work around for a vfat usb key that I found, so I repartitioned the usb disk. The key is a "512 mb" usb key.

I partitioned the usb key in two parts. A 498mb partition and a 2mb partition. The 2mb partition is ext2 which supports chmod 400 on the private key.

I don't like the solution, but it's my only choice.

David

another solution is to mount the usb stick as another user (like nobody) but make sure you have group write for your group

the trick is that hardcoded check tests if its your user first, if its not your user it doesnt worry about the group settings (but still worries about others settings)

so i have my keys flagged as 'nobody, group:mygroup, 660
and it works

mount_msdosfs -u 1001 -m 700 /dev/da0s1 /mnt/

id
uid=1001(leksey)

ls -alhfog
-rwx------ 1 leksey wheel - 736B Feb 22 13:06 privatekey

see also glyph.twistedmatrix.com/2009/02/using-ssh-keys-on-usb-drive-on-macos-x.html

Hello David,

I'm looking for the exact same setting, a biometric USB key with my different SSH config and private key, and of course I've the same problem.

I would avoid the second partition for one reason, I want to be able to use my key on all kind of computer…

So, I'm wondering if you have find an other solution ?

Yoann

The issue was that openssh said it was a 'warning', but it is a requirement. At the time I filed a bug report with OpenSSH and they changed the message to make it clear that you can not bypass this restriction.