Ssh key file permissions are set to 660 on every log in

Taylor_Gibson · August 16, 2022, 5:06pm

Hi all,

I’ve created an ssh keypair in my persistent user storage in the folder ~/.ssh/. This key was verified to work correctly and I was able to successfully make a commit and put on my github account, both from the command line and using the jupyterlab-git extension.

However, when I logged out of JupyterHub and came back the next day and attempting to make a pull from the same repo, the jupyterlab-git extension gave an error, notifying me that the keys were too permissive and it would not perform the indicated operation. After a little googling, I realized that the keys need to be set to 600 to ensure other users on the system do not have permission to access them. Nothing a little chmod couldn’t handle, and I was back in business in no time. However, later in the day I realized that these permissions revert back to 660 upon every log in.

Are there any best practices for how to ensure these key permissions persist at 600 across sessions? I was thinking I could do something like:

singleuser:
  lifecycleHooks:
    postStart:
      exec:
        command: ["chmod", "600", "~/.ssh/id_rsa"]
        command: ["chmod", "600", "~/.ssh/id_rsa.pub"]

in the config.yaml but I wasn’t sure if there was a better way to accomplish this task, or what would happen if another user didn’t have these keys created. Any thoughts?

I’m running JupyterHub 2.3.1 20220809132319 with this user image, which is based off of the dockerstacks jupyter/datascience image pulled on 8/9/2022.

Thanks!

manics · August 16, 2022, 5:22pm

Are you setting a fsGroup?

This is one possibility for why the permissions are reset to 660.

To figure out the underlying cause you might need to check the documentation for your K8s volume provisioner, and do some testing of pods and PVCs/PVs.

Taylor_Gibson · August 16, 2022, 6:13pm

I’m not setting an fsGroup. I’m still getting my feet underneath with regarding Kubernetes so I stuck to the Z2JH guide and haven’t explored too many other configurations quite yet. I’ll look into this link and see if I can make enough sense of it to determine if it can solve my issue. Thanks for the suggestion!

rick · October 31, 2022, 5:16pm

I’m seeing the same issue. Did anyone find a solution for this?

jschwab · September 18, 2023, 2:12pm

I’m having the same issue as well. Any news on this?

Taylor_Gibson · October 20, 2023, 5:23pm

I haven’t been able to figure this out for the entire system, but I did include chmod 600 ~/.ssh/github in the .profile file in my home directory. That will automatically set the correct permissions on my github key whenever I open the terminal. Not perfect, but works for a command line user.

Topic		Replies	Views
Permission denied on ssh keys JupyterHub	2	1243	February 22, 2022
On user pod startup: clone private GitHub repo JupyterHub how-to , help-wanted	1	525	September 26, 2023
Best practices for ssh credentials on cloud-based jupyterhubs Zero to JupyterHub on Kubernetes	2	4204	April 15, 2019
Best practice for authenticating/interacting with private github repos from Jupyter Hub on Kubernetes JupyterHub jupyterhub	3	782	August 22, 2023
Restrict Users to their notebook directory upon logging into JupyterHub JupyterHub	3	35	September 24, 2024

Ssh key file permissions are set to 660 on every log in

Related topics