ssh permission problem

[Masmin]

Hi, I use a raspberry 4 with the latest version of openhabian: Linux openhab 4.19.118-v7l+ #1311 SMP Mon Apr 27 14:26:42 BST 2020 armv7l

I use an exec binding to access another linux system in SSH and this is the log of the problem.

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: UNPROTECTED PRIVATE KEY FILE! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ Permissions 0660 for '/var/lib/openhab2/.ssh/id_rsa' are too open. It is required that your private key files are NOT accessible by others. This private key will be ignored. Load key "/var/lib/openhab2/.ssh/id_rsa": bad permissions Permission denied, please try again. Permission denied, please try again. volumio@192.168.1.21: Permission denied (publickey,password).

I change permissions a lot of times but but some script bring back permissions to 0660 when system restart. Best regards

[ecdye]

Try running permissions correction from openhabian-config.

[mstormi]

/var/lib/openhab2/.ssh/id_rsa

I don't know why permissions gets reset But you mustn't use/setup a UNIX user with /var/lib/openhab2 as the home. That's reserved for use by OH.

[Masmin]

Thank you ecdye, I already try to run permissions correction from openhabian-config but it doesn't work. Sorry mstormi but exec binding uses openhab user. So it is right that it's reserved for openhab but openhab user must connect to other linux server.

FROM EXEC BINDING: https://www.openhab.org/addons/bindings/exec/ Linux: Note that the commands are executed in the context and with the privileges of the process running the Java Virtual Machine. On a Linux system the system user openhab needs to have the privileges needed to execute your intended command. It is advised to test the correct operation of the command in the scope of the openhab user on the command line first: sudo -u openhab

If i ssh to another server to launch a command I need to store public key in '/var/lib/openhab2/.ssh/id_rsa' for openhab user. Am I right?

[ecdye]

There should be no difference in the use of ssh between users. Try using your regular openhabian account as it should work just fine.

[Masmin]

Thank you ecdye for reply. This is an event triggered in openhab and the exec binding is using openhab user, I can't change it. I'm not connected in terminal with the account that I want. In the script launched by openahab (exec binding) with openhab user I should change user to openhabian and launch ssh command. Maybe it's possible but I think this is a workaround not a solution. In addition SSH keys should mantain the right permissions (for security reasons). The script that put permissions should have an exception for .ssh directory

[mstormi]

As I said I don't know what's changing permissions, I'm not aware of anything to regularly do this. @BClark09 are you aware of any such thing ?

@Masmin you could insert a proper chmod command after https://github.com/openhab/openhabian/blob/master/functions/system.bash#L300 to see if that's what is called daily (it usually only executes if you use the menu).

Will add a fix there, too.

[Masmin]

Thank you mstormi. I put in /opt/openhabian/functions/system.bash the chmod line if ! cond_redirect chmod -R ug+wX /opt "${openhabFolders[@]}"; then echo "FAILED (folders)"; return 1; fi chmod 600 /var/lib/openhab2/.ssh/id_rsa

I also try to use in openhabian-config and launch fix permissions. After this, it changes permission to 660 -rw-rw---- 1 openhab openhab 1823 Nov 29 2019 id_rsa I don't know if there's something that call the fix permissions script but could be this, it gives the permissions that I find when the problem occur

I bring back permission to 600 and I'm going to test some days.

[Masmin]

I try also to use "Upgrade System Upgrade all installed software packages (incl. openHAB) to their latest version" and permissions come back to 660. I try to upgrade very frequently so maybe it couldn't be a scheduled task

[BClark09]

@BClark09 are you aware of any such thing ?

No, I thought that the permissions_corrections function was only called on first setup or on demand. Looking at the function now, it looks fairly complicated. What is changing the positions incorrectly in the first place to make all of that function necessary?

[mstormi]

I also try to use in openhabian-config and launch fix permissions.

Yes, that's what line 300 does

I try also to use "Upgrade System Upgrade all installed software packages (incl. openHAB) to their latest version" and permissions come back to 660.

It's in any of the package install scripts then hence nothing we can fix inside openHABian. Likely the openhab2 or openhab2-addons package. @BClark09 can you check ?

No, I thought that the permissions_corrections function was only called on first setup or on demand.

Me, too.

What is changing the positions incorrectly in the first place to make all of that function necessary?

Dunno. The function resets permissions to a state known to work to be called when in need. If we had known the origin we would have fixed it there (in addition) but I`m unaware of any such part of the code.

[ecdye]

No, I thought that the permissions_corrections function was only called on first setup or on demand.

Me, too.

It is, so there is nothing wrong in that.

[mstormi]

@BClark09 did you check if it's the openhab2* packages that (re)set permissions ?

[BClark09]

AFAIK the runtime can't change the permissions of the folders which just leaves openhab-linuxpkg as a possible cause, but the openHAB packages should only set the ownership during installation or upgrade. I'm not aware of anywhere that specifically sets 0660 permissions.

[mstormi]

Thanks Benjy. Ok so we don't really know what is causing it. Now given that I've added a line to reset these to 600 in permissions_corrections , you can execute that whenever in need such as after any upgrade. Sorry but that's the best we can offer. Feel free to reopen when there's news.