Force ssh to ignore id_rsa permissions
As other answers have mentioned, it looks like there is no way to force SSH to ignore that option. The check is happening in authfile.c function sshkey_perm_ok:
if ((st.st_uid == getuid()) && (st.st_mode & 077) != 0) {
error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
error("@ WARNING: UNPROTECTED PRIVATE KEY FILE! @");
error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
error("Permissions 0%3.3o for '%s' are too open.",
(u_int)st.st_mode & 0777, filename);
error("It is required that your private key files are NOT accessible by others.");
error("This private key will be ignored.");
return SSH_ERR_KEY_BAD_PERMISSIONS;
}
If changing the permissions of the key file is not an option, a solution is to download the OpenSSH source, remove that check from the code and rebuild it.
An answer to a related question suggests there is no way to bypass the permissions check.
However, I had the same problem --- I wanted several users to share the same key to be able to access and control a large group of hosts --- and my fix might be useful to others.
Here's what I did:
- Create a special user (say,
master
) and group (master
) to hold the key. - Create/store the key files in
~master/.ssh/
. - Give group read permissions to the key file,
chmod g+r ~master/.ssh/id_rsa
. - Add each of the authorized users to the
master
group. - Make a link from
~user/.ssh/id_rsa
to~master/.ssh/id_rsa
.
This allows the authorized user to ssh
without problems,
but avoids opening up the key to everyone.
Also, the key owner is not root.
Strangely, the master
user itself will still get the "unprotected private key" warning.
This can be circumvented by changing the owner (but not the group) of the key file to some special user that will never need to use the key,
sudo chown daemon ~master/.ssh/id_rsa
, for instance.