Sunday, December 31, 2017

ssh error "UNPROTECTED PRIVATE KEY FILE!"

My environment:

  • Windows 10 with powershell
  • chefdk-2.4.17-1
  • vagrant_2.0.1
  • VirtualBox-5.2.4
  • OpenSSH_7.6p1
  • "kitchen create" succeeded with a simple apache recipe, and "kitchen list" showed the instance was created

My Problem:

When run "kitchen login", I got error "UNPROTECTED PRIVATE KEY FILE!". The full error message is as following. It's version related, but similar error should have same root cause.

PS > kitchen login
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions for '.../.kitchen/kitchen-vagrant/default-centos-72/.vagrant/machines/default/virtualbox/private_key' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
Load key ".../.kitchen/kitchen-vagrant/default-centos-72/.vagrant/machines/default/virtualbox/private_key": bad permissions
vagrant@127.0.0.1's password:

Root Cause:

"kitchen login" executed 'ssh' commands, and 'ssh' is complaining the private key file is too open, others can read it, not secure so it refused to use it.

My Solution:

Set the proper permission using ACL. The idea is to use 'ssh-keygen' to generate a private key file which will have the proper ACL, then match previous private key file's ACL to this one. I assume you are in the directory which hosts keyfile 'private_key', and the following is running as administrator. After this, the 'kitchen login'/ssh doesn't complain anymore, and login successfully. This can also serve as a way to change file permission in powershell command line.

ssh-keygen -f C:\Windows\Temp\id_rsa -N dumppass
$Acl = Get-Acl C:\Windows\Temp\id_rsa
Set-Acl .\private_key $Acl

No comments:

Post a Comment