SSH Private Key Permissions using Git GUI or ssh-keygen are too open
Asked Answered
G

25

257

Recently I've been unable to clone or push to github, and I'm trying to find the root cause.

This is on windows

I have cygwin + git as well as msysgit.

Msysgit was installed with the following options:

  • OpenSSH
  • Use Git from Windows Command Prompt

That gives me 4 environments to try to use git in:

  • Windows cmd prompt
  • Powershell
  • Git Bash
  • Cygwin

Somehow I've managed to get myself into a position where when I try to clone a repository using msysgit, cmd.exe, or Powershell, I get the following error:

> Initialized empty Git repository in
> C:/sandbox/SomeProject/.git/
> @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
> @    WARNING: UNPROTECTED PRIVATE KEY FILE!          @
> @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
> Permissions 0644 for
> '/c/Users/Ben/.ssh/id_rsa' are too
> open. It is recommended that your
> private key files are NOT accessible
> by others. This private key will be
> ignored. bad permissions: ignore key:
> /c/Users/Ben/.ssh/id_rsa Permission
> denied (publickey). fatal: The remote
> end hung up unexpectedly

This is using the .ssh folder in my c:\users\ben\ folder, which is what is used by msysgit. I suspect cygwin works because the .ssh folder is located elsewhere, but I'm not sure why

In Git Bash, I check the permissions:

$ ls -l -a ~/.ssh

Which gives me:

drwxr-xr-x    2 Ben      Administ        0 Oct 12 13:09 .    
drwxr-xr-x   34 Ben      Administ     8192 Oct 12 13:15 ..    
-rw-r--r--    1 Ben      Administ     1743 Oct 12 12:36 id_rsa
-rw-r--r--    1 Ben      Administ      399 Oct 12 12:36 id_rsa.pub    
-rw-r--r--    1 Ben      Administ      407 Oct 12 13:09 known_hosts

These permissions are apparently too relaxed. How they got this way, I have no idea.

I can try to change them...

$ chmod -v -R 600 ~/.ssh

which tells me:

mode of `.ssh' changed to 0600 (rw-------)
mode of `.ssh/id_rsa' changed to 0600 (rw-------)
mode of `.ssh/id_rsa.pub' changed to 0600 (rw-------)
mode of `.ssh/known_hosts' changed to 0600 (rw-------)

But it seems to have no effect. I still get the same error, and doing

$ ls -l -a ~/.ssh

yields the same permissions as before.

UPDATE:

I tried to fix the permissions to those files in cygwin, and cygwin reports their permissions correctly, gitbash does not: alt text http://cdn.cloudfiles.mosso.com/c54102/app7962031255448924.jpg

Any ideas on how I can really fix these permissions?

Goodhumored answered 12/10, 2009 at 18:26 Comment(7)
You might want to tell us what is the native filesystem that C:\Users\Ben\ is using. It seem that that filesystem does not support real permissions, or the mappings beteen the shell and filesystem is not working properly. Can you change the permissions via Windows ACLs?Canzone
I'm using Windows 7. I can change the permissions to that, but what are they supposed to be? All the github/ssh docs say you need 0600, but I have no idea what that means in Windows ACLs.Goodhumored
Uh... bit of a sidenote here, but chmod-ing a directory to 600 is a bad idea. Directories (and executable files) are always one digit higher (700 not 600, 755 not 644). Doing that on a directory will make it unlistable. See dartmouth.edu/~rc/help/faq/permissions.html for more detailed explanations.Repulsive
Are you opposed to using PuTTY?Unbeatable
if it fixes my issue then no, but I'm curious to know why this setup doesn't work for me.Goodhumored
I need this for windows 7. the chmod does not work on windows 7. or does not seem to.Overview
I have the same esoteric error. Nothing works. I'm going to give up to have comfortable environment to deploy rails with windows.Zahn
P
381

You changed the permissions on the whole directory, which I agree with Splash is a bad idea. If you can remember what the original permissions for the directory are, I would try to set them back to that and then do the following

cd ~/.ssh
chmod 700 id_rsa

inside the .ssh folder. That will set the id_rsa file to rwx (read, write, execute) for the owner (you) only, and zero access for everyone else.

If you can't remember what the original settings are, add a new user and create a set of SSH keys for that user, thus creating a new .ssh folder which will have default permissions. You can use that new .ssh folder as the reference for permissions to reset your .ssh folder and files to.

If that doesn't work, I would try doing an uninstall of msysgit, deleting ALL .ssh folders on the computer (just for safe measure), then reinstalling msysgit with your desired settings and try starting over completely (though I think you told me you tried this already).

Edited: Also just found this link via Google -- Fixing "WARNING: UNPROTECTED PRIVATE KEY FILE!" on Linux While it's targeted at linux, it might help since we're talking liunx permissions and such.

Pteropod answered 13/10, 2009 at 15:1 Comment(7)
this got the correct answer vote, but doesn't seem to detail how to fix this in which environment. What do I need to do to get this to work from PowerShell, I don't want to use cygwinSwordplay
This answer specifically applies to using cygwin or msysgit (since msysgit uses a subset of cygwin or possibly mingw32). The issue is the permission on the file. Git likes to work with (mostly) linux permissions (probably a by product of it's target audience). Using the git.exe in Winodws shell is known to have issues, I would advise sticking with msysgit. At least until GitSharp is fully working.Pteropod
This is not working on windows 8 and my Jan '14 install of cygwin as after chmod 700, it is showing the file as rwxrwx---. The group permissions to be set to whatever I set the user permissions to and I can't use my keys.Board
@DeanHiller, a permission of 700 should look like -rwx------. So what you're showing isn't correct if you've done the chmod command correctly.Pteropod
@Pteropod nope, it was a bug with a work aroudn...need to use chgrp -R Users ~/.ssh and then chmod is now working and actually changes the permissions correctly.....a known bug I finally found on another post.Board
Needed also to do: chgrp Users ~/.ssh/* (Windows 8)Aesthete
I can verify that there there is some kind of bug in GitBash for Windows where either the correct permissions CANNOT be set with chmod, or the permissions are not correctly read. chmod 600 id_rsd; ls -l id_rs -> -rwx-r--r--Presbyterian
S
76

There is a bug with cygwin's chmod, please refer to:

https://superuser.com/questions/397288/using-cygwin-in-windows-8-chmod-600-does-not-work-as-expected

chgrp -Rv Users ~/.ssh/* 
chmod -vR 600 ~/.ssh/id_rsa
Sethrida answered 17/5, 2013 at 19:28 Comment(4)
For whatever reason, the mapping from Windows permissions to cygwin/*nix-like permissions is a little fuzzy. Even though I removed all other users' permissions on the Windows side, cygwin still applied the permissions for me, the user, to another group named None. (I suppose this is standard procedure when a group has not been explicitly defined).This change to an explicit group Users supposedly allowed cygwin to separate the permissions, and I could finally set 600 instead of an automatic 660.Scythe
This is the actual correct answer. The one that got voted as the correct answer - I think the people who voted that up were linux users and didn't realize that he was executing the command correctly. I had the same problem with cygwin today. Thanks!Aedes
Before applying this solution, when I used chmod 600 git would complain that my permissions were still 0660. Fixing the group ownership make chown apply correctly.Slaton
I updated Cygwin and it worked. They must have fixed the bug.Septarium
A
19

For *nix systems, the obvious fix is chmod 600 id_rsa ofc, but on windows 7 I had to hit my head against the wall for a while, but then I found the magic solution:

go to My Computer / Right Click / Properties / Advanced System Settings / Environment Variables and DELETE the variable (possibly from both system and user environment):

CYGWIN

Basically, its a flaw in mingw32 used by git windows binary, seeing all files 644 and all folders 755 always. Removing the environment variable does not change that behaviour, but it appearantly tells ssh.exe to ignore the problem. If you do set proper permissions to your id_rsa through explorers security settings (there really is no need to have any other user in there than your own, not "everyone", not "administrators", not "system". none. just you), you'll still be secure.

Now, why mingw32, a different system than cygwin, would make any use of the CYGWIN environment variable, is beyond me. Looks like a bug to me.

Andie answered 26/6, 2012 at 12:37 Comment(2)
This did not work for me. I still get the "UNPROTECTED PRIVATE KEY FILE" message. Just wanted to let you know in case someone else comes upon this thread with similar results.Dagney
Worked for me. This is asinine though. I'm not even using Cygwin anymore. Also, how on earth did you figure this out?Poppy
B
13

I'm on XP and this allowed Git Bash to communicate w/ Github (after much frustration):

  1. copy c:\cygwin\bin\cyg* (~50 files) to c:\Program Files\Git\bin\
  2. copy c:\cygwin\bin\ssh.exe to c:\Program Files\Git\bin\ (overwriting)
  3. Create the file c:\Documents and Settings\<username>\.ssh\config containing:

    Host github.com
        User git
        Hostname github.com
        PreferredAuthentications publickey
        IdentityFile "/cygdrive/c/Documents and Settings/<username>/.ssh/id_rsa"
    
  4. (optional) Use ssh -v git@github to see the connection debugged.

  5. Try a push!

Background: The general problem is a combination of these two:

  • BUG: mingw32 sees all files as 644 (other/group-readable), and nothing I tried in mingw32, cygwin, or Windows could fix it.
  • mingw32's SSH version won't allow that for private keys (generally a good policy in a server).
Burlesque answered 17/6, 2011 at 3:16 Comment(5)
It seams no need to make up a file c:\Documents and Settings\<username>\.ssh\config since you have replaced c:\Program Files\Git\bin\ssh.exe with c:\cygwin\bin\ssh.exe. Right ?Sustentation
Agree w/ "much frustration" comment. For gitolite, I followed these steps, copying cygwin/bin/cyg* to my Git dir (PortableGit - or - Program Files/Git), and found I could then use git from Git-Bash, but not cygwin bash. Adding both the PortableGit and Cygwin bin directories to my PATH also worked with limited success... but still I had to move PortableGit/bin/ssh.exe{,.bak} so that it wasn't accidentally used (even if it's the same one as c:/cygwin/bin/ssh.exe). Basically ssh.exe needs to be run from the cygwin directory due to other dependencies that weren't copied over.Theall
Although it's working for me now, next to try would be just to add both Git and Cygwin to the PATH, and move Git's ssh.exe out of the way so that cygwin's ssh.exe is used (from cygwin's bin directory).Theall
Add LogLevel DEBUG to the .ssh\config file to get debug output from the ssh.exe process started by git.exe.Wineskin
Thanks - this solution worked for me! Specifically, from c:\cygwin\bin\ I copied ssh.exe, cygcrypto-0.9.8.dll, cygwin1.dll, cygminires.dll, and cygz.dll to C:\Program Files\Git\bin\.Opinicus
G
10

For Windows 7 using the Git found here (it uses MinGW, not Cygwin):

  1. In the windows explorer, right-click your id_rsa file and select Properties
  2. Select the Security tab and click Edit...
  3. Check the Deny box next to Full Control for all groups EXCEPT Administrators
  4. Retry your Git command
Gaudery answered 29/12, 2011 at 0:35 Comment(1)
This was it for me, but now I have a new issue that ssh doesn't like my password, any password I give my key file.Sclerophyll
C
7

OK so here is how I actually forced the change on my Windows files regarding the permissions themselves on Win7: Find your ssh key in windows explorer: C:\Users[your_user_name_here].ssh\id_rsa

Right-click on file>Properties>Security tab>Advanced button>Change permissions

Now remove everyone that is not actually your username. This includes Administrator and System users. At this point you may get a dialogue about inheriting permissions- choose the option that DOESN'T inherit- since we only want to change this file.

Click OK and save till done.

I fought with this for days because my windows would not change the file permissions from the command line. This way it is also ACTUALLY done- instead of using exciting work arounds that make can have odd consequences.

Carr answered 19/7, 2013 at 9:57 Comment(0)
P
6

Changing file permissions from Properties, disabling inheritance and running chmod 400 didn't work for me. The permissions for my private key file were:

-r--r----- 1 alex None 1766 Mar 8 13:04 /home/alex/.ssh/id_rsa

Then I noticed the group was None, so I just ran

chown alex:Administrators ~/.ssh/id_rsa

Then I could successfully change the permissions with chmod 400, and run a git push.

Pommard answered 8/3, 2014 at 11:41 Comment(0)
R
3

FOR MAC USERS:

Change the settings of your key pair file by typing this in the terminal:

chmod og-r *filename.pem*

(make sure you are in the correct directory, or path filename in the command correctly).

Reactionary answered 7/6, 2012 at 0:39 Comment(0)
A
3

I solve it running:

chmod 400 ~/.ssh/id_rsa

I hope to help. Good luck.

Allcot answered 23/10, 2014 at 17:46 Comment(2)
Changing the permissions to 400 as Cristian mentioned, it would be more secure.Critchfield
exactly what is needed in my caseEtiolate
A
2

I had the same problem on Windows XP just recently. I tried to chmod 700 on my ~/.ssh/id_rsa file but it did not seem to work. When I had a look at the permissions using ls -l on the ~/.ssh/id_rsa I could see that my effective permissions still was 644.

Then I remembered that windows permissions also inherit permissions from the folders, and the folder was still open to everyone. A solution could be to set permissions for the folder as well, but I think a better way would be to tell the system to ignore inheritance for this file. This can be done using the advanced option on the security tab in the properties of the file, and unchecking "inherit from parent permissions..."

This might be helpful for others with the same problem.

Asha answered 7/4, 2010 at 9:37 Comment(0)
G
2

After comming across the problem recently and this being one of the top google results i thought i would chip in with a simple work around documented in discussion here: http://code.google.com/p/msysgit/issues/detail?id=261#c40

Simply involves overwriting the mysys ssh.exe with your cygwin ssh.exe

Gershom answered 12/10, 2010 at 10:31 Comment(0)
I
1

I'm playing right now with Git 1.6.5, and I can't replicate your setup:

Administrator@WS2008 /k/git
$ ll ~/.ssh
total 8
drwxr-xr-x    2 Administ Administ     4096 Oct 13 22:04 ./
drwxr-xr-x    6 Administ Administ     4096 Oct  6 21:36 ../
-rw-r--r--    1 Administ Administ        0 Oct 13 22:04 c.txt
-rw-r--r--    1 Administ Administ      403 Sep 30 22:36 config_disabled
-rw-r--r--    1 Administ Administ      887 Aug 30 16:33 id_rsa
-rw-r--r--    1 Administ Administ      226 Aug 30 16:34 id_rsa.pub
-rw-r--r--    1 Administ Administ      843 Aug 30 16:32 id_rsa_putty.ppk
-rw-r--r--    1 Administ Administ      294 Aug 30 16:33 id_rsa_putty.pub
-rw-r--r--    1 Administ Administ     1626 Sep 30 22:49 known_hosts

Administrator@WS2008 /k/git
$ git clone [email protected]:alexandrul/gitbook.git
Initialized empty Git repository in k:/git/gitbook/.git/
remote: Counting objects: 1152, done.
remote: Compressing objects: 100% (625/625), done.
remote: Total 1152 (delta 438), reused 1056 (delta 383)s
Receiving objects: 100% (1152/1152), 1.31 MiB | 78 KiB/s, done.
Resolving deltas: 100% (438/438), done.

Administrator@WS2008 /k/git
$ ssh [email protected]
ERROR: Hi alexandrul! You've successfully authenticated, but GitHub does not pro
vide shell access
Connection to github.com closed.

$ ssh -v
OpenSSH_4.6p1, OpenSSL 0.9.8e 23 Feb 2007

chmod doesn't modify file permissions for my keys either.

Environment:

  • Windows Server 2008 SP2 on NTFS
  • user: administrator
  • environment vars:
    • PLINK_PROTOCOL=ssh
    • HOME=/c/profiles/home

Update: Git 1.6.5.1 works as well.

Indigestible answered 13/10, 2009 at 19:11 Comment(1)
interesting. Looks like you're using the putty option?Goodhumored
C
1

This is a particularly involved problem on Windows, where it's not enough to just chmod the files correctly. You have to set up your environment.

On Windows, this worked for me:

  1. Install cygwin.

  2. Replace the msysgit ssh.exe with cygwin's ssh.exe.

  3. Using cygwin bash, chmod 600 the private key file, which was "id_rsa" for me.

  4. If it still doesn't work, go to Control Panel -> System Properties -> Advanced -> Environment Variables and add the following environment variable. Then repeat step 3.

    Variable      Value
    CYGWIN      sbmntsec

Castellan answered 1/8, 2011 at 14:40 Comment(0)
H
1

I was able to fix this by doing two things, though you may not have to do step 1.

  1. copy from cygwin ssh.exe and all cyg*.dll into Git's bin directory (this may not be necessary but it is a step I took but this alone did not fix things)

  2. follow the steps from: http://zylstra.wordpress.com/2008/08/29/overcome-herokus-permission-denied-publickey-problem/

    I added some details to my ~/.ssh/config file:

Host heroku.com
Hostname heroku.com
Port 22
IdentitiesOnly yes
IdentityFile ~/.ssh/id_heroku
TCPKeepAlive yes
User brandon

I had to use User as my email address for heroku.com Note: this means you need to create a key, I followed this to create the key and when it prompts for the name of the key, be sure to specify id_heroku http://help.github.com/win-set-up-git/

  1. then add the key:
    heroku keys:add ~/.ssh/id_heroku.pub
Holliehollifield answered 12/1, 2012 at 18:8 Comment(0)
D
1

What did the trick for me was to update CYGWIN environment variable with: "tty nodosfilewarning". Didn't even need to chmod the key.

Dehnel answered 23/3, 2013 at 12:14 Comment(0)
S
1

@koby's answer doesn't work for me, so I make a little change.

cd ~/.ssh
chmod 700 id_rsa.pub

This works well for me on Mac.

Savoury answered 9/4, 2015 at 3:45 Comment(0)
A
1

None of the workarounds suggested here (chmod/chgrp/setfacl/windows perms) worked for me with msys64 on a Windows 7 corporate VM. In the end I worked around the problem by using an ssh agent with the key provided on stdin. Adding this to my .bash_profile makes it the default for my login:

eval $(ssh-agent -s)
cat ~/.ssh/id_rsa | ssh-add -k -

Now I can do git push and pull with ssh remotes.

Aleurone answered 24/2, 2020 at 15:33 Comment(0)
T
0

Not a direct answer to the primary question, but on your question of how cygwin's folder works... As a general rule, cygwin puts all of "your" files under the equiv of c:\cygwin\home\username. It treats that folder for any user-specific settings rather than the Windows user directory.

Tallulah answered 13/10, 2009 at 17:25 Comment(0)
D
0

Unless there is a reason that you want to keep that private/public key pair (id_rsa/id_rsa.pub), or enjoy banging your head on the wall, I'd recommend just recreating them and updating your public key on github.

Start by making a backup copy of your ~/.ssh directory.

Enter the following and respond "y" to whether you want to over write the existing files.

ssh-keygen -t rsa

Copy the contents of the public key to your clipboard. (Below is how you should do it on a Mac).

cat ~/.ssh/id_rsa.pub | pbcopy

Go to your account on github and add this key.

Name: My new public key
Key: <PASTE>

Exit from your terminal and restart a new one.

If you get senseless error messages like "Enter your password" for your public key when you never entered one, consider this start over technique. As you see above, it's not complicated.

Donadonadee answered 5/9, 2013 at 23:7 Comment(0)
A
0

I never managed to get git to work completely in Powershell. But in the git bash shell I did not have any permission related issues, and I did not need to set chmod etc... After adding the ssh to Github I was up and running.

Azores answered 27/2, 2014 at 18:50 Comment(0)
P
0

Type on terminal:

chmod -Rf 700 ~/.ssh/

And try again.

Poilu answered 26/6, 2014 at 13:40 Comment(0)
A
0

Did you copy the key file from another machine?

I just created an id_rsa file on the client machine then pasted the key in I wanted. No permissions issues. Nothing to set. It just worked. It also works if you use PuTTYgen to create the private key.

Possibly some hidden group issue if you're copying it from another machine.

Tested on two Windows 8.1 machines. Using Sublime Text 3 to copy and paste the private key. Using Git Bash (Git-1.9.4-preview20140611).

Ashtoreth answered 3/7, 2014 at 15:59 Comment(0)
M
0

After upgrading my Cygwin installation to a version around February 2015 (1.7.34(0.285/5/3) 2015-02-04 12:14 x86_64 Cygwin), I suddenly ran into the UNPROTECTED PRIVATE KEY FILE warning.

I fixed this problem after running the following command:

setfacl -s u::rw-,g::---,o:--- ~/.ssh/id_rsa

(another answer to another question gives more context)

Mikkel answered 4/3, 2015 at 0:12 Comment(0)
D
0

I had the same issue on Windows 10 where I tried to SSH into a Vagrant box. This seems like a bug in the old OpenSSH version. What worked for me:

  1. Install the latest OpenSSH from http://www.mls-software.com/opensshd.html
  2. where.exe ssh

(Note the ".exe" if you are using Powershell)

You might see something like:

C:\Windows\System32\OpenSSH\ssh.exe
C:\Program Files\OpenSSH\bin\ssh.exe
C:\opscode\chefdk\embedded\git\usr\bin\ssh.exe

Note that in the above example the latest OpenSSH is second in the path so it won't execute.

To change the order:

  1. Right-click Windows button -> Settings -> "Edit the System Environment Variables"
  2. On the "Advance" tab click "Environment Variables..."
  3. Under System Variables edit "Path".
  4. Select "C:\Program Files\OpenSSH\bin" and "Move Up" so that it appears on the top.
  5. Click OK
  6. Restart your Console so that the new environment variables may apply.
Disenchant answered 26/1, 2018 at 13:39 Comment(0)
B
0

My system is a bit of a mess with bash/cygwin/git/msysgit/maybe-more...

chmod had no effect on the key, or the config file.

Then I decided to approach it from Windows, which worked.

  1. Right-Click the file whose permission needs fixing.
  2. Select Properties.
  3. Select the Security tab.
  4. Click Advanced near the bottom.
  5. Click Change, next to Owner near the top.
  6. Type "My-Awesome-Username" (obviously change that to your current Windows username), and click Check Names, then OK.
  7. Under Permission entries:, highlight each user that isn't "My-Awesome-Username", and select Remove. Repeat this until "My-Awesome-Username" is the only one left.
  8. Select "My-Awesome-Username", and click Edit below.
  9. Make sure the Type: at the top is set to Allow, and then tick the checkbox next to Full control.
  10. Hit OK, Apply, OK, OK.

  11. Give it another try now...

Seems the sometimes the mock-bash can't control the file ownership. It's especially weird, as it's generated from a mock-bash script. Go figure.

Booklet answered 23/6, 2019 at 18:5 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.