I like computer security to be EASY and SECURE.
I hate passwords, and I use them rarely if at all. Instead, I use digital keys as much as possible (i.e. something based on a physical key stored on a removable USB drive that I take with me wherever I go). Like using a physical key, it’s much easier.
Sadly, OS X has a version of SSH that tries to be “too clever” while actually being “annoyingly unhelpful”. If you attempt to use a key from a removable drive, you get this error message:
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: UNPROTECTED PRIVATE KEY FILE! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0777 for ‘login-key-for-tmachine.ssh’ are too open.
It is recommended that your private key files are NOT accessible by others.
This private key will be ignored.
bad permissions: ignore key: (key-name)
Permission denied (publickey).
(emphasis mine).
While it’s delightfully verbose, and tells you exactly what’s happened, it’s also a bit misleading. It says “WARNING” when it actually means “ERROR”, since the ssh system at this point deliberately stops itself. But, more importantly, it’s an error that you cannot evade under OS X. With OS X, all removable media has “Permissions 0777”.
Fortunately, there’s a workaround. Using this good but not-quite-detailed-enough article, I got most of the way there.
I had two problems, things that article omits.
Firstly, you are no longer “allowed” to edit /etc/fstab on OS X. Don’t try it. Instead, there’s a new command-line editor called “vifs” (hmm. vi-for-fstab, perhaps? :)) which works fine.
Secondly, the USB Drive I’m using has a space in the Label name. /etc/fstab uses spaces as a reserved character (I knew this), but … what do you write instead? (I didn’t know this).
I tried (and failed with):
- “My Drive”
- My\ Drive
- My Drive
…and with some creative googling, eventually found an example fstab with spaces in a label name. Aha!
- My\040Drive
i.e. replace spaces with “\040” (I’m guessing because it’s so low-level they’ve decided to “assume” unicode in all escape sequences)
…and now it all works as intended. Yay.
4 replies on “Safe login on OS X: using an SSH key from a USB key/thumbdrive”
Must admit, I would have just renamed the drive label to not have a space in it ;-)
But this way, I can add to the referenced post, and make it better :).
Also, you might already have assigned that name to a drive on a different OS. So, renaming the drive can mean breaking your other refs in other places. I subscribe to the sysadmin credo of “don’t break everyone else’s systems to make up for problems on your own one” :)
And, if you’ve got a lot of usb drives / keys, it quickly becomes a pain not to be giving them nice, human-readable names.
‘man fstab’ or ‘info fstab’
usually i use google too p: and probably i would have panicked and given up at the error message, I don’t like having to do extra work to make things work. probably due to latent trauma of non-working wireless and a failed patch/compile attempt in Gentoo
For some reason, the OS X man pages don’t include info on the space character. I’m not sure why.
But they’re using customized versions of the unix tools (including fstab, I believe), so maybe it’s just a traditional Apple “we forgot to document it” error.