Ssh key file permissions are set to 660 on every log in

Hi all,

I’ve created an ssh keypair in my persistent user storage in the folder ~/.ssh/. This key was verified to work correctly and I was able to successfully make a commit and put on my github account, both from the command line and using the jupyterlab-git extension.

However, when I logged out of JupyterHub and came back the next day and attempting to make a pull from the same repo, the jupyterlab-git extension gave an error, notifying me that the keys were too permissive and it would not perform the indicated operation. After a little googling, I realized that the keys need to be set to 600 to ensure other users on the system do not have permission to access them. Nothing a little chmod couldn’t handle, and I was back in business in no time. However, later in the day I realized that these permissions revert back to 660 upon every log in.

Are there any best practices for how to ensure these key permissions persist at 600 across sessions? I was thinking I could do something like:

singleuser:
  lifecycleHooks:
    postStart:
      exec:
        command: ["chmod", "600", "~/.ssh/id_rsa"]
        command: ["chmod", "600", "~/.ssh/id_rsa.pub"]

in the config.yaml but I wasn’t sure if there was a better way to accomplish this task, or what would happen if another user didn’t have these keys created. Any thoughts?

I’m running JupyterHub 2.3.1 20220809132319 with this user image, which is based off of the dockerstacks jupyter/datascience image pulled on 8/9/2022.

Thanks!

Are you setting a fsGroup?

This is one possibility for why the permissions are reset to 660.

To figure out the underlying cause you might need to check the documentation for your K8s volume provisioner, and do some testing of pods and PVCs/PVs.

I’m not setting an fsGroup. I’m still getting my feet underneath with regarding Kubernetes so I stuck to the Z2JH guide and haven’t explored too many other configurations quite yet. I’ll look into this link and see if I can make enough sense of it to determine if it can solve my issue. Thanks for the suggestion!