Description of problem: Using MRG Grid to spawn Amazon EC2 instances, when I attempt to use the generated key pair which is pointed to by the AMAZON_KEYPAIR_FILE variable I get the following error: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: UNPROTECTED PRIVATE KEY FILE! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ Permissions 0644 for '/home/admin/tunnelkeypair' are too open. It is recommended that your private key files are NOT accessible by others. This private key will be ignored. bad permissions: ignore key: /home/admin/tunnelkeypair This is easily worked around by the following command, and so far not adverse effects have been noted. chmod 400 tunnelkeypair Version-Release number of selected component (if applicable): MRG 1.2 How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
commit e7f1cfa5da9e379538efbea33a69372b0e88d033 Author: Jaime Frey <jfrey@> Date: Fri Jul 16 12:32:32 2010 -0500 Fix permissions on ssh private key file for amazon ec2 jobs. #1508 The ssh private key file that allows logging into the ec2 instance was being written with global read permissions. Now, only the owner has read permission. ... --- a/src/condor_amazon/gsoap_commands.cpp +++ b/src/condor_amazon/gsoap_commands.cpp @@ -319,7 +319,7 @@ AmazonVMCreateKeypair::gsoapRequest(void) // check if output file could be created if( has_outputfile ) { - if( check_create_file(outputfile.Value()) == false ) { + if( check_create_file(outputfile.Value(), 0600) == false ) { m_error_msg = "No_permission_for_keypair_outputfile"; dprintf(D_ALWAYS, "AmazonVMCreateKeypair Error: %s\n", m_error_msg.Value()) return false; @@ -343,7 +343,7 @@ AmazonVMCreateKeypair::gsoapRequest(void) if( has_outputfile ) { FILE *fp = NULL; - fp = safe_fopen_wrapper(outputfile.Value(), "w"); + fp = safe_fopen_wrapper(outputfile.Value(), "w", 600); if( !fp ) { m_error_msg.sprintf("failed to safe_fopen_wrapper %s in write mode: "safe_fopen_wrapper returns %s",
Fix built in condor 7.4.4-0.5
The permissions of the generated keyfile are now (at least) 600. Verified on RHEL5.5, i386/x86_64. condor-7.4.4-0.9
Technical note added. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. New Contents: Using the MRG Grid to spawn Amazon EC2 instances, when attempting to use the generated key pair which is pointed to by the 'AMAZON_KEYPAIR_FILE' variable, a 'bad permissions' error was returned. The ssh private key file that allowed logging into the EC2 instance was being written with global 'read' permissions. With this update, only the owner has 'read' permission.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2010-0773.html