Inside a native Linux environment the error UNPROTECTED KEY FILE always means that the permissions of private key file are way too open. The error usually occurs if you are trying to connect with SSH and a private key to a remote host. As Ansible does also use SSH, you may also receive the error:

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0777 for '/home/user/.ssh/id_rsa' are too open.
It is recommended that your private key files are NOT accessible by others. This private key will be ignored.
bad permissions: ignore key: /home/geek/user/id_rsa

As you can see, the permissions 0777 (read, write and execute permissions for owner, group membership and others) are not allowed. Fixing this is trivial as you just have to change the permissions to 600:

$ chmod 600 id_rsa

If you are executing the chmod command inside a WSL (Windows Subsystem for Linux) container, e.g. the default Ubuntu distribution, you may notice that the permission does not have changed and are still the same:

$ ls -al
-rwxrwxrwx. 1 user user 0 Jan  9 23:32 id_rsa

The reason for this is that your Windows volume is probable mounted without any metadata. When you are showing a list of your mounted devices, the metadata attribute is missing:

$ sudo mount
C:\ on /c type drvfs (rw,noatime,uid=1000,gid=1000)

Without the metadata attribute, Linux is not able to determine the correct file permissions inside WSL.

How to add enable the metadata attribute for your volume

The temporary solution for this problem has Microsoft described. You need to mount your volume with the -o metadata option:

$ sudo umount /c
$ sudo mount -t drvfs C: /c -o metadata

After re-mounting the volume, mount will show that the drive has been mounted with the metadata attribute:

$ sudo mount
C:\ on /c type drvfs (rw,noatime,uid=1000,gid=1000,metadata)

Make the changes persistent

With a restart of your WSL instance, the volume wouldn’t get loaded with the metadata attribute. To make the changes persistent, you can either edit /etc/fstab or add an entry to your /etc/wsl.conf file. If the file does not exist, you can just create it.

$ sudo vim /etc/wsl.conf
# snip
[automount]
enabled = true
root = /
options = "metadata"
mountFsTab = true
# snap

The changes are only applied after the WSL container has been terminated. It is not sufficient to just close the WSL terminal:

wsl.exe --terminate <distro_name>
# e.g wsl.exe --terminate ubuntu
wsl.exe

I am asking you for a donation...

You liked the content or this article has helped and reduced the amount of time you have struggled with this issue? Please donate a few bucks so I can keep going with my troubleshooting adventure :-)

Categories: Linux