Fixing “UNPROTECTED KEY FILE” when using SSH or Ansible inside WSL

Published by Schakko on

Inside a native Linux environment the error UNPROTECTED KEY FILE always means that the permissions of private key file are way too open. The error usually occurs if you are trying to connect with SSH and a private key to a remote host. As Ansible does also use SSH, you may also receive the error:

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0777 for '/home/user/.ssh/id_rsa' are too open.
It is recommended that your private key files are NOT accessible by others. This private key will be ignored.
bad permissions: ignore key: /home/geek/user/id_rsa

As you can see, the permissions 0777 (read, write and execute permissions for owner, group membership and others) are not allowed. Fixing this is trivial as you just have to change the permissions to 600:

$ chmod 600 id_rsa

If you are executing the chmod command inside a WSL (Windows Subsystem for Linux) container, e.g. the default Ubuntu distribution, you may notice that the permission does not have changed and are still the same:

$ ls -al
-rwxrwxrwx. 1 user user 0 Jan  9 23:32 id_rsa

The reason for this is that your Windows volume is probable mounted without any metadata. When you are showing a list of your mounted devices, the metadata attribute is missing:

$ sudo mount
C:\ on /c type drvfs (rw,noatime,uid=1000,gid=1000)

Without the metadata attribute, Linux is not able to determine the correct file permissions inside WSL.

How to add enable the metadata attribute for your volume

The temporary solution for this problem has Microsoft described. You need to mount your volume with the -o metadata option:

$ sudo umount /c
$ sudo mount -t drvfs C: /c -o metadata

After re-mounting the volume, mount will show that the drive has been mounted with the metadata attribute:

$ sudo mount
C:\ on /c type drvfs (rw,noatime,uid=1000,gid=1000,metadata)

Make the changes persistent

With a restart of your WSL instance, the volume wouldn’t get loaded with the metadata attribute. To make the changes persistent, you can either edit /etc/fstab or add an entry to your /etc/wsl.conf file. If the file does not exist, you can just create it.

$ sudo vim /etc/wsl.conf
# snip
[automount]
enabled = true
root = /
options = "metadata"
mountFsTab = true
# snap

The changes are only applied after the WSL container has been terminated. It is not sufficient to just close the WSL terminal:

wsl.exe --terminate <distro_name>
# e.g wsl.exe --terminate ubuntu
wsl.exe

I am asking you for a donation.

You liked the content or this article has helped and reduced the amount of time you have struggled with this issue? Please donate a few bucks so I can keep going with solving challenges.

Make it so!
Categories: Linux

Related Posts

Java

Running a Spring Boot JAR service with SELinux enabled

Just a quick reminder how to run a Spring Boot JAR (or any other self JAR executable) with SELinux enabled: To make this persistent you have to use the bin_exec_t type as java_exec_t is just Read more…

Linux

“configure: error: libpthread not found!” while configuring ActiveMQ CPP 3.8 and 3.9 on CentOS 6.7

The ./configure script of activemq-cpp for 3.8.x and 3.9 failed with the error configure: error: libpthread not found!” when running on CentOS 6.7. Stupidly i had forgotten to install the gcc-c++ package. “yum install gcc-c++” Read more…

Linux

Slow RAID performance with our new Linux storage

During the last months we periodically experienced performance problems with our storage system. Investigating the cause for the slow performance was problematic as we did not have direct shell access and could only rely on Read more…