git-annex/doc/bugs/ssh:_unprotected_private_key_file.mdwn

62 lines
2.7 KiB
Markdown

### Please describe the problem.
When pairing two machines with git-annex assistant, the assistant kept asking for the ssh password. Checking the git-annex daemon logs, I saw that ssh was refusing to use the key the assistant had created because it was group readable (see below for the log extract).
### What steps will reproduce the problem?
The assistant was installed from the ubuntu precise ppa backport on an up-to-date copy of ubuntu precise.
It was started using "git-annex webapp --listen=XYZ".
This was done on two machines on the same network.
Created a repository using the web-app, the same on both machines.
Did a pair request. This initially worked fine, until it got to the point of using ssh, when it started asking for the password many many times.
### What version of git-annex are you using? On what operating system?
git-annex version: 5.20140306
build flags: Assistant Webapp Pairing S3 WebDAV Inotify DBus XMPP Feeds Quvi TDFA CryptoHash
key/value backends: SHA256E SHA1E SHA512E SHA224E SHA384E SKEIN256E SKEIN512E SHA256 SHA1 SHA512 SHA224 SHA384 SKEIN256 SKEIN512 WORM URL
remote types: git gcrypt S3 bup directory rsync web webdav tahoe glacier hook external
local repository version: 5
supported repository version: 5
upgrade supported from repository versions: 0 1 2 4
Ubuntu 12.04.4 LTS
### Please provide any additional information below.
[[!format sh """
# If you can, paste a complete transcript of the problem occurring here.
# If the problem is with the git-annex assistant, paste in .git/annex/daemon.log
(started...) Generating public/private rsa key pair.
Your identification has been saved in /tmp/git-annex-keygen.0/key.
Your public key has been saved in /tmp/git-annex-keygen.0/key.pub.
The key fingerprint is:
2b:f4:28:35:72:2c:9e:5b:d3:1d:d1:a1:b7:c7:a5:34 ABC@XYZ
The key's randomart image is:
+--[ RSA 2048]----+
| . |
| o . |
| o o E .|
| . o + + |
| o * S . . + |
| . B = o . . |
| + = + . |
| + o |
| . |
+-----------------+
[2014-03-14 13:35:45 GMT] main: Pairing in progress
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: UNPROTECTED PRIVATE KEY FILE! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0620 for 'ABC/.ssh/git-annex/key.git-annex-XYZ_annex' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
bad permissions: ignore key: ABC/.ssh/git-annex/key.git-annex-XYZ_annex
(merging XYZ_annex/git-annex into git-annex...)
# End of transcript or log.
"""]]
> [[Fixed|done]]; the code made sure the file did not have any group or
> world read bits, but did not clear write bits. --[[Joey]]