When trying to load my keys I get this error
ssh-add ~/.ssh
Permissions 0755 for '/home/starkers/.ssh' are too open.
Note that the permissions are too open for the .ssh directory, not an actual key.
Modifying the ownership doesn't change anything:
chmod 755 ~/.ssh
ssh-add ~/.ssh
Permissions 0755 for '/home/starkers/.ssh' are too open.
The thing is, I need to write to this directory when I create new keys, so what's it on about?
Your .ssh directory should have permissions 0700. Not 0600 (too strict) or 0755 (too permissive). Do:
chmod -R 700 ~/.ssh
Use -R to recursively change permissions for all files in there.
Nobody should be able to get at your keys except you, not even to read them or discover their names. That's basic sensible security and it means no permissions whatsoever for group or world.
First you should own the directory. Then, you should be using something like 600 or 700 (preferably the latter, see below).
From the ssh man-page (but with my italics):
~/.ssh/
This directory is the default location for all user-specific configuration and authentication information. There is no general requirement to keep the entire contents of this directory secret, but the recommended permissions are read/write/execute for the user, and not accessible by others.
The private key file should have permissions 0600 (but 0400 will also do), that is it should have not be accessible by anyone but the owner (and of course should be readable by the owner). Exception: the user running ssh-add is not the private key file's owner (*).
But the issue here is that you are giving a directory as argument to ssh_add. The reason why you get the permission error is that ssh_add checks for the correct permissions first.
Openssh uses the function sshkey_perm_ok (source: authfile.c):
sshkey_perm_ok(int fd, const char *filename)
{
struct stat st;
if (fstat(fd, &st) == -1)
return SSH_ERR_SYSTEM_ERROR;
/*
* if a key owned by the user is accessed, then we check the
* permissions of the file. if the key owned by a different user,
* then we don't care.
*/
#ifdef HAVE_CYGWIN
if (check_ntsec(filename))
#endif
if ((st.st_uid == getuid()) && (st.st_mode & 077) != 0) {
error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
error("@ WARNING: UNPROTECTED PRIVATE KEY FILE! @");
error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
error("Permissions 0%3.3o for '%s' are too open.",
(u_int)st.st_mode & 0777, filename);
error("It is required that your private key files are NOT accessible by others.");
error("This private key will be ignored.");
return SSH_ERR_KEY_BAD_PERMISSIONS;
}
return 0;
}
The function is called from ssh-add.c
if (fd != STDIN_FILENO) {
if (sshkey_perm_ok(fd, filename) != 0) {
close(fd);
return -1;
}
}
The permissions of your private key should return 0 when performing a bitwise AND with 077, this means that your private key should have no permissions for group or others (but can have any permission for the owner).
Small test to see how ssh-add first checks for permissions and then whether it's a file:
~ % mkdir testssh
~ % ssh-add ./testssh
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: UNPROTECTED PRIVATE KEY FILE! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0755 for './testssh' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
~ % chmod 600 testssh
~ % ssh-add ./testssh
Error loading key "./testssh": Is a directory
Now create a key file with permissions `744` (not allowed) and then change the permissions to `700` (allowed):
~ % chmod 700 testssh
~ % touch ./testssh/mykey
~ % chmod 744 ./testssh/mykey
~ % ssh-add ./testssh/mykey
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: UNPROTECTED PRIVATE KEY FILE! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0744 for './testssh/mykey' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
~ % chmod 700 ./testssh/mykey
~ % ssh-add ./testssh/mykey
Error loading key "./testssh/mykey": invalid format
Examples of valid/invalid permissions for private key file:
0600 OK
000110000 (binary for 0600)
& 000001111 (binary for 077)
-----------
000000000 (result)
0400 OK
000100000 (binary for 0400)
& 000001111 (binary for 077)
-----------
000000000 (result)
0755 NOT OK
000111101 (binary for 0755)
& 000001111 (binary for 077)
-----------
000001101 (result)
(*) unless the owner of the key is different from the user calling ssh-add, in that case permissions are not checked. st.st_uid == getuid() is the piece of code responsible for that (source: authfile.c):
/*
* if a key owned by the user is accessed, then we check the
* permissions of the file. if the key owned by a different user,
* then we don't care.
*/
...
if ((st.st_uid == getuid()) && (st.st_mode & 077) != 0) {
Try:
~ % touch anotherkey
~ % sudo chown root anotherkey
~ % sudo chmod 755 anotherkey
~ % ssh-add anotherkey
Error loading key "anotherkey": invalid format
In this case ssh did not complain about incorrect permissions.
© 2022 - 2024 — McMap. All rights reserved.
chmoddoesn't modify the ownership (that'schown). – AmazonasNote that the permissions are too open for the .ssh directory, not an actual key.– Pilferage700; I'm not sure why you have755there. – Amazonas