Bad owner or permissions on /root/.ssh/config in a virtual machine

I'm using a VirtualBox VM with Debian as guest OS. In order to share SSH keys between the Windows host and the Linux guest system, I've defined the folder ~/.ssh as a shared folder. Bun now I'm getting an error:

# git clone git@github.com-user:user/project.git
Cloning into project...
Bad owner or permissions on /root/.ssh/config
fatal: The remote end hung up unexpectedly

Usually to resolve this problem it's only needed to set stricter permissions for ~/.ssh. But in this case it's not possible, since it's a shared folder.

Is there another solution/workaround for this issue?

Thx

automatix

Posted 2013-03-07T22:59:05.380

Reputation: 337

5Your first problem is that /root shouldn't be a shared folder. You shouldn't normally be doing things as root. – Zoredache – 2013-03-07T23:34:31.833

Why not? It's ("only") a virtual machine, not a real server. – automatix – 2013-03-07T23:58:05.673

6Because it is a bad habit. If you do things in a insecure manor on your local system, you will never train yourself to do things correctly on production systems. – Zoredache – 2013-03-08T00:40:52.600

3Start over and set up your virtual machine correctly, not using the root account. – Michael Hampton – 2013-03-08T02:20:38.903

Answers

I had mounted my shared folder with this command (saved in /etc/rc.local in order to mount the folder on system start automatically):

mount -t vboxsf -o uid=1000,gid=1000 sshkeys /root/.ssh

Now I've changed the user, the usergroup, and the access rights of the mounted folder in the mount commando:

mount -t vboxsf -o uid=0,gid=0,umask=077 sshkeys /root/.ssh

It works.

P.S. For everyone, who has participated in this discussion:

Since the thread became a bit chaotic, I would like to summarize it:

At first I had the problem, that I could not use my keys, when they came from a shared folder (Bad owner or permissions... error). The corollary for me was, that there were two ways: (a) either to set the user, group and the access rights for the folder how the SSH client (?) needs or (b) to make it ignore its access rights restrictions. Since I could not apply chown/chmod to my shared folder and thought, it were not possible to change the access rights for it, I saw (b) as the last possibility to resolve the issue -- and changed the question/title. It was a mistake and I've just made this change back.

To the discussion about the security: I'm working as root (on my dev VM!) and it's a deadly sin for every safety-conscious user. Actually I also think, that normally one should not log in as root. But I hold the opinion, that it doesn't apply to the case of a dev virtual machine. Anyway -- it is an offtopic, since it has nothing to do with the issue, I've described. This issue can occur for every user of every usergroup.

automatix

Posted 2013-03-07T22:59:05.380

Reputation: 337

You are free to hold that opinion, just as we are free to disagree with you. .ssh is intended to be a highly secure, unshared directory that is not managed this way. (whether it be root or any other user) You would not find the same resistance if it involved automation without permission munging. This is akin to saying that it's okay to munge the permissions of per-user registry hives in Windows so that you can tweak their security preferences; it's just something people don't do. – Andrew B – 2013-03-08T15:01:30.073

The proper solution is to stop using root to check out a git repository. Give each user their own account and keep the permissions tight enough that security isn't compromised.

A different solution would be to use one of the web-based git servers rather than an SSH-based one. I've never used any of those so I can't give you much advice there.

Ladadadada

Posted 2013-03-07T22:59:05.380

Reputation: 174

Thank you for your answer! To the first solution: It's a VM and I'm using only one user -- root. It's comfortable and no problem in the VM context. To the second solution: I use GitHub and it needs SSH authenification. – automatix – 2013-03-07T23:48:01.210

3@automatix Create a normal (unprivileged) user account, like your operating system's documentation almost certainly encourages you to. As Zoredache pointed out, you are practicing bad habits - always treat systems as if they're production. – voretaq7 – 2013-03-08T01:44:26.247

@automatix, root is never to be used as a regular user in Unix. Ever. – vonbrand – 2013-03-08T12:40:06.427

This doesn't in any way answer the question of how to configure ssh so that it doesn't complain about the permissions of his key folder. – frankster – 2013-10-07T11:36:20.873

1@frankster Of course not; It's a bad idea. I have answered the question "Is there another solution/workaround for this issue?" – Ladadadada – 2013-10-07T14:15:09.433

Disclaimer: I now believe this is a permissions check by the git client, not the ssh server. That would make this answer incorrect. I am leaving my answer here so that we don't have to go over the topic again.

I really don't want to answer this, but someone is going to post the answer you're looking for eventually and it may as well be with the appropriate disclaimers.

Don't do this. Everyone else has been steering you away from this answer for a reason. It's terrible security.
No, really. Don't do this. No matter how convenient it may seem, this goes against some of the most basic security conventions that are taken for granted in the Unix industry. You will lose a great deal of respect from those in your professional life if they discover that you have done this, even if it's casually on your own system.
You are asking to be owned.
If you're still determined on going through with this...

The answer is in man sshd_config, you're looking for StrictModes. It cannot be configured on a per-user basis; that's very deliberate.

Andrew B

Posted 2013-03-07T22:59:05.380

Reputation: 314

@vonbrand "it still is a full-fledged Unix." He said it was Debian. Debian is Linux, not UNIX. There's a difference. Not even sure if Debian's officially POSIX. "Do not use root as a regular user." Never say never. If a machine is entirely isolated from untrusted machines, and has nothing you care about on it, and it saves a lot of time, why not be root for a bit? No one's getting hurt. – Parthian Shot – 2014-07-11T02:46:41.893

1@ParthianShot, Debian (or any for-regular-users) Linux distribution is Unix-like enough for the current discussion's issue. – vonbrand – 2014-07-11T23:24:03.563

2On second thought, this question probably falls under "system misuse" in the FAQ. I'm going to flag it. – Andrew B – 2013-03-08T01:19:31.657

Unfortunately users are permitted to shoot themselves in the foot if they really want to. @automatix - If you decide to do this you may find this question and its answers helpful in short order...

– voretaq7 – 2013-03-08T01:40:25.330

Thank you for your excelent answer! Yes, I understand your point. But IMHO in the context of a VM I don't need to follow the normal security guidelines. I've set StrictModes to no. But I'm still getting the same error: Bad owner or permissions on /root/.ssh/config fatal: The remote end hung up unexpectedly. – automatix – 2013-03-08T01:54:43.647

3@automatix A virtual machine needs the same security as a physical machine. Perhaps you mean it needs less security because it's on an isolated network - if so, fine. But if its attached to the network like a physical machine, it needs the same security. – Grant – 2013-03-08T02:13:28.853

^^ Wish I could upvote this multiple times. – Dave Johnson – 2013-03-08T02:58:34.167

@automatix This may be the 'git' client itself complaining then, in which case my answer would be incorrect. – Andrew B – 2013-03-08T05:37:49.813

@automatx, it might be a Unix running on a virtual machine, but it still is a full-fledged Unix. Do not use root as a regular user. – vonbrand – 2013-03-08T12:42:20.343

@sethcall This was migrated from ServerFault awhile back, so the original context had to include production environment standards. – Andrew B – 2013-04-24T23:21:45.137

A solution do this that would permit you to still have /root as a 'shared folder' would be to use the AuthorizedKeysFile in your sshd_config file, and set it to pull your authorized keys from some other directory.

Zoredache

Posted 2013-03-07T22:59:05.380

Reputation: 18 453

I'm not sure, whether I've understood you correctly. The VM is not the SSH server. Both -- the host and the guest system -- are clients. The dealing with the file sshd_config is the server (in this case GitHub) part. – automatix – 2013-03-08T00:02:34.157

Ah, in that case then update your global ssh_config, and use the IdentityFile to relocate your key files so they are stored in a location with proper permissions. – Zoredache – 2013-03-08T00:14:50.340

It will not resolve the problem: I will still have to choose between a shared key folder and the SSH authentification. – automatix – 2013-03-08T00:37:09.420