Hi all,
I’m nt able to use the id_rsa.pub.cloud on KVM hosts. See snippet bellow:
[root@kvm1 ~]# ssh -i ~/.ssh/id_rsa.pub.cloud -p 3922 169.254.0.136
The authenticity of host '[169.254.0.136]:3922 ([169.254.0.136]:3922)' can't be
established.
ECDSA key fingerprint is 81:be:00:fe:37:8d:3f:99:63:1d:e2:ff:3f:4b:56:73.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[169.254.0.136]:3922' (ECDSA) to the list of known
hosts.
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: UNPROTECTED PRIVATE KEY FILE! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0644 for '/root/.ssh/id_rsa.pub.cloud' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
bad permissions: ignore key: /root/.ssh/id_rsa.pub.cloud
Permission denied (publickey).
[root@kvm1 ~]# chmod 600 /root/.ssh/id_rsa.pub.cloud
[root@kvm1 ~]# ssh -i ~/.ssh/id_rsa.pub.cloud -p 3922 169.254.0.136
Enter passphrase for key '/root/.ssh/id_rsa.pub.cloud':
Permission denied (publickey).
It was working fine few days ago.
The injectkeys.py did not change, although it says 644, but for the private key.
print ("Copying new private key file as it is not matching with old file")
shutil.copyfile(newKey, currDir + pathSep + "id_rsa.cloud")
os.chmod(currDir + pathSep + "id_rsa.cloud", 0644) <<<<<<============== I
think we should change it to 600
On XenServer, the patch files set the key permission to 600, instead:
id_rsa.cloud=../../../systemvm,0600,/root/.ssh
On LibvirtModifySshKeyCommandWrapper it sets the public key to 600
final Script script = new Script("chmod",
libvirtComputingResource.getTimeout(), s_logger);
script.add("600", sshprvkeypath);
script.execute();
Have you guys seen something like that before?
Cheers,
Wilder
