SSH does not allow the use of a key with group readable permissions

git ssh linux private-key deployment

I have a development git server that deploys to a live server when the live branch is pushed to. Every user has their own login and therefore the post-receive hook which does the live deployment is run under their own user.

Because I don't want to have to maintain the users public keys as authorized keys on the remote live server I have made up a set of keys that 'belong's to the git system to add to remote live servers (In the post-receive hook I am using $GIT_SSH to set the private key with the -i option).


My problem is that because of all the users might want to deploy to live, the git system's private key has to be at least group readable and SSH really doesn't like this.

Here's a sample of the error:

XXXX@XXXX /srv/git/identity % ssh -i id_rsa XXXXX@XXXXX
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0640 for 'id_rsa' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
bad permissions: ignore key: id_rsa

I've looked around expecting to find something in the way of forcing ssh to just go through with the connection but I've found nothing but people blindly saying that you just shouldn't allow access to anything but a single user.


Here's a nice simple and secure way.

Create a new user for the ssh transfer, I'll call it git-sync. Create a similar user on the server with group membership for the git repository. Add the public key for sync-user into that users authorized_keys2 file. I'm assuming the git users are all members of the gitgroup. Make sure the git-sync user is also a member of this group.

Now edit your /etc/sudoers file to include a line like:

%gitgroup ALL=(git-sync) NOPASSWD: /usr/bin/git

This will allow any member of the gitgroup group to run the command /usr/bin/bit as git-sync without a password.

Now put something like this in your post-receive hook:

sudo -u git-sync /usr/bin/git push origin

You CAN use group readable identity files, UNLESS you're the owner of the key. So, just set the identity file to be owned by, for example, the root user and then all your git repository users are set to go.

A nice benefit to this is that you don't need sudo - the solution will be more simple.

Note that this will run into the original problem again if you're using root to push to your git repo.


Permissions 0640 for 'id_rsa' are too open.

The private key must remain private. You shouldn't allow anyone to read it.

Because I don't want to have to maintain the users public keys as authorized keys on the remote live server I have made up a set of keys that 'belong's to the git system to add to remote live servers (In the post-receive hook I am using $GIT_SSH to set the private key with the -i option).

  1. setup a key pair to ssh from the dev to the production server

  2. in the post-receive hook script, try something like this:

    if [ "live" == "$branch" ]; then
    ssh -t user@prod "git --work-tree=... --git-dir=... checkout -f"
fi

Related

nginx simple regex location
Make Tomcat use X-Real-IP
I accidently zipped my whole server
iLO 3 Firmware Update (HP Proliant DL380 G7)
Gmail flagging Dovecot email as insecure
How to enable systemd on Amazon Linux AMI
iSCSI, multiple initiators for the same LUN
Update Office without opening an Office application
Does SMTP greylisting a) stop much spam and b) stop much legitimate mail?
Free Windows server anti-virus and firewall programs?
Why is my .bashrc not read under cygwin?
Can a Linux server serve as a Domain Controller for Windows Machines?