Unprotected private key file

[lucas-labs]

Does this issue occur when all extensions are disabled?: Yes

• VS Code Version: 1.61.2
• OS Version: Windows 10

I'm seeing the following error when trying to open with VSCode

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
> Permissions for 'c:\\tmp\\gitpod_01460b4a-fe2a-4d71-8fee-f0d065765c8a_id_rsa' ar
> e too open.
> It is required that your private key files are NOT accessible by others.        
> This private key will be ignored.
> Load key "c:\\tmp\\gitpod_01460b4a-fe2a-4d71-8fee-f0d065765c8a_id_rsa": bad perm
> issions
> [email protected]: Permission denied (publickey).

The problem is with the permissions of the file gitpod_01460b4a-fe2a-4d71-8fee-f0d065765c8a_id_rsa. As the error says, permissions are too open:

(sorry for the spanish texts in the screenshot)

Changing the permission of the file so that only my user can access to it works, but I have to do that every time a new rsa file is being created, which is inconvenient.

Is there any other, more permanent, solution?

Thanks!!

[akosyakov]

Are you trying to access Gitpod workspace from VS Code Desktop?

[lucas-labs]

@akosyakov hi! Yes, exactly

[Naveenaidu]

@lucas-labs Thank you for writing a detailed bug report :)

Unfortunately I haven't been able to reproduce the bug, so if it's okay with you I would like to ask a few more questions.

Some context as to why you are getting the error:

This error happens because, the ssh keys are supposed to be in a path that is accessible only to the user. But if the private key is in the C:\ root path (in your case C:\tmp\.. ) then they are accessible by everyone as a result of which OpenSSH complains :(

I did the following steps when attempting reproduce the bug:

1. Create a new GitHub repo, and start the gitpod workspace.
2. From the gitpod workspace, Clicked on the Gitpod: Open in VS Code option
   
3. This redirected me to my local VSCode instance and it was able to establish a successful SSH tunnel.

Looking at the logs of VSCode RemoteSSH extension, it looks like for me Gitpod automatically created the SSH key pairs and wrote it to my TEMP directory C:\Users\91909\AppData\Local\Temp\.

Digging into git commit history, it looks like due to this commit, Gitpod now automatically produces SSH keypair per-workspace and store them in the TEMP directory of the operating system, contrary to what is mentioned in the Introductory blog of the Local Companion.

Excerpt from the blog:

It currently requires that you have a default SSH key setup in the ~/.ssh directory i.e. id_rsa.pub & id_rsa. The public key will be copied to the workspace to permit access.

Looks like the blog is slightly outdated, (Note to self: Update the docs?)

Sorry, for the detour, getting back to it. The automatic generation of ssh key-pair per workspace is now handled via generateSSHKeys() function. This can be seen in line 333 of the commit:

func generateSSHKeys(instanceID string) (privateKeyFN string, publicKey string, err error) {
	privateKeyFN = filepath.Join(os.TempDir(), fmt.Sprintf("gitpod_%s_id_rsa", instanceID))

As you can see above, we use os.TempDir() to create the path of where the keys should be stored. The Go docs for os.TempDir() states that:

TempDir returns the default directory to use for temporary files.

And ideally the Temporary path for Windows is stored at:

C:\Users\<username>\AppData\Local\Temp

And this is where the Gitpod stores my ssh keys as well.

Questions

But oddly, the path from where the gitpod is trying to read the ssh keys in your case is from C:\tmp\.., And I am not sure why this is happening in your case. If you don't mind would it be possible for you to please share:

1. gitpod_ssh_config_* file. (Eg: gitpod_ssh_config-9584-fPUntcOwnUsR)
2. gitpod-local-companion-*.log file (Eg: gitpod-local-companion-9584-1GSinVwOHcRB-.log)
3. The steps to reproduce your bug.

The above files should ideally be in the C:\Users\<username>\AppData\Local\Temp directory, but I am guessing in your case they might be present in C:\tmp\

This would really help me pinpoint what is going wrong and fix it ^^

P.S: Apologies for such a long message ^^'

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[edapm]

@lucas-labs I appear to be having this issue as well

[loujaybee]

Noting this issue will likely be resolved with new SSH access method: #8513

[david-bakin]

Just hit this today. Went to my repo https://github.com/david-bakin/bitcoin, hit the Chrome-extension "Gitpod!" button. Answered "yes" to the Chrome dialog asking if I wanted to open it in VSCode. VSCode installed the Gitpod remote extension, which then wanted me to authorize it in the browser, which I did. Then this error happened.

Looking at previous remarks here, I note that I have overridden the user and system env vars for TEMP and TMP and both point to C:\TEMP. (Because I like it that way and I've been doing it that way for years.)

🡆🡆UPDATE: On setting TEMP and TMP to point where they're supposed to, C:\Users\David\AppData\Local\Temp, everything now works properly: VSCode connects to the Gitpod container just fine.🡄🡄

c:\temp\gitpod_ssh_config-1848-5ifiYuzq61xB:

Host davidbakin-bitcoin-wz5rp7fz2le
HostName 127.0.0.1
User gitpod
Port 49997
IdentityFile C:\TEMP\gitpod_9bdeaba7-6c7d-481f-b2da-abeda168eac4_id_rsa
IdentitiesOnly yes

gitpod-local-companion-1848-Vva7IX62K0H4-.log:

time="2022-04-08T17:53:22-07:00" level=info msg="writing workspace ssh_config file" ssh_config="C:\\TEMP\\gitpod_ssh_config-1848-5ifiYuzq61xB"
time="2022-04-08T17:53:28-07:00" level=warning msg="Failed to to close listener" error="close tcp4 127.0.0.1:63110: use of closed network connection" port=63110
time="2022-04-08T17:53:28-07:00" level=info msg="tunnel: trying to connect ssh client..." workspace=davidbakin-bitcoin-wz5rp7fz2le
time="2022-04-08T17:53:28-07:00" level=info msg="supervisor: listening on 127.0.0.1:49993..." workspace=davidbakin-bitcoin-wz5rp7fz2le
time="2022-04-08T17:53:29-07:00" level=info msg="tunnel: ssh client connected" id=e16a0f5c-bb09-4be1-b88c-0ac4762b2154 workspace=davidbakin-bitcoin-wz5rp7fz2le
time="2022-04-08T17:53:39-07:00" level=info msg="ssh: listening on 127.0.0.1:49997..." workspace=davidbakin-bitcoin-wz5rp7fz2le
time="2022-04-08T17:53:39-07:00" level=info msg="Instance update" workspace="&{9bdeaba7-6c7d-481f-b2da-abeda168eac4 davidbakin-bitcoin-wz5rp7fz2le running sF0ZqMeByZXmcFvwJL.0yVjTtfdlfEeJ https://davidbakin-bitcoin-wz5rp7fz2le.ws-us38.gitpod.io 0xc00042c200 0xc000422700 {{0 0} 0 0 0 0} map[] true <nil> 0xc0002883c0 C:\\TEMP\\gitpod_9bdeaba7-6c7d-481f-b2da-abeda168eac4_id_rsa ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCgpFC9h7LMquWSc1zwFDTcLUipVeQdMpCF8hmE7dGMtu+cP5IltTQQqDKpIuLOW+B97rFeVQ8ktkRUD2KP+5IXBmZodVAf14lstONpoAeKNXVP/RqqdlgDRwoJg+khS5saIRS8ThJVin6vkxNkYEFEgGD4LBfXN0jLhBik1BpV6LHlaLvlG3Xq90uhHD4WyvCKjRPaHR7gC8F65bpu7LA/sJUf3MOhgPkXVmHY+/zhrvhVXzH0fKTRFKWhNP2sV99w3pDGuE6edphMMftOLdPWOPaKaVeLwqeNzZ/ZnRhZyJaODuy/78cnq253+0Y1ZMScpU/WEjt0lUeKM1u5mZld\n 0xc00042c140 0x44ec00 0xc000442000 true}"
time="2022-04-08T17:53:39-07:00" level=info msg="Instance update" workspace="&{9bdeaba7-6c7d-481f-b2da-abeda168eac4 davidbakin-bitcoin-wz5rp7fz2le running  https://davidbakin-bitcoin-wz5rp7fz2le.ws-us38.gitpod.io 0xc00042c200 0xc000422700 {{0 0} 0 0 0 0} map[] true <nil> 0xc0002883c0 C:\\TEMP\\gitpod_9bdeaba7-6c7d-481f-b2da-abeda168eac4_id_rsa ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCgpFC9h7LMquWSc1zwFDTcLUipVeQdMpCF8hmE7dGMtu+cP5IltTQQqDKpIuLOW+B97rFeVQ8ktkRUD2KP+5IXBmZodVAf14lstONpoAeKNXVP/RqqdlgDRwoJg+khS5saIRS8ThJVin6vkxNkYEFEgGD4LBfXN0jLhBik1BpV6LHlaLvlG3Xq90uhHD4WyvCKjRPaHR7gC8F65bpu7LA/sJUf3MOhgPkXVmHY+/zhrvhVXzH0fKTRFKWhNP2sV99w3pDGuE6edphMMftOLdPWOPaKaVeLwqeNzZ/ZnRhZyJaODuy/78cnq253+0Y1ZMScpU/WEjt0lUeKM1u5mZld\n 0xc00042c140 0x44ec00 0xc000442000 true}"
time="2022-04-08T17:53:39-07:00" level=info msg="Instance update" workspace="&{9bdeaba7-6c7d-481f-b2da-abeda168eac4 davidbakin-bitcoin-wz5rp7fz2le running sF0ZqMeByZXmcFvwJL.0yVjTtfdlfEeJ https://davidbakin-bitcoin-wz5rp7fz2le.ws-us38.gitpod.io 0xc00042c200 0xc000422700 {{0 0} 0 0 0 0} map[] true <nil> 0xc0002883c0 C:\\TEMP\\gitpod_9bdeaba7-6c7d-481f-b2da-abeda168eac4_id_rsa ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCgpFC9h7LMquWSc1zwFDTcLUipVeQdMpCF8hmE7dGMtu+cP5IltTQQqDKpIuLOW+B97rFeVQ8ktkRUD2KP+5IXBmZodVAf14lstONpoAeKNXVP/RqqdlgDRwoJg+khS5saIRS8ThJVin6vkxNkYEFEgGD4LBfXN0jLhBik1BpV6LHlaLvlG3Xq90uhHD4WyvCKjRPaHR7gC8F65bpu7LA/sJUf3MOhgPkXVmHY+/zhrvhVXzH0fKTRFKWhNP2sV99w3pDGuE6edphMMftOLdPWOPaKaVeLwqeNzZ/ZnRhZyJaODuy/78cnq253+0Y1ZMScpU/WEjt0lUeKM1u5mZld\n 0xc00042c140 0x44ec00 0xc000442000 true}"

VSCode output window:

[17:55:07.559] Log Level: 2
[17:55:07.560] [email protected]
[17:55:07.560] win32 x64
[17:55:07.584] SSH Resolver called for "ssh-remote+davidbakin-bitcoin-wz5rp7fz2le", attempt 1
[17:55:07.585] "remote.SSH.useLocalServer": false
[17:55:07.586] "remote.SSH.showLoginTerminal": false
[17:55:07.586] "remote.SSH.remotePlatform": {}
[17:55:07.586] "remote.SSH.path": undefined
[17:55:07.587] "remote.SSH.configFile": C:\TEMP\gitpod_ssh_config-1848-5ifiYuzq61xB
[17:55:07.587] "remote.SSH.useFlock": true
[17:55:07.587] "remote.SSH.lockfilesInTmp": false
[17:55:07.588] "remote.SSH.localServerDownload": auto
[17:55:07.588] "remote.SSH.remoteServerListenOnSocket": false
[17:55:07.588] "remote.SSH.showLoginTerminal": false
[17:55:07.588] "remote.SSH.defaultExtensions": ["gitpod.gitpod-remote-ssh"]
[17:55:07.589] "remote.SSH.loglevel": 2
[17:55:07.589] "remote.SSH.enableDynamicForwarding": true
[17:55:07.589] "remote.SSH.enableRemoteCommand": false
[17:55:07.590] "remote.SSH.serverPickPortsFromRange": {}
[17:55:07.590] "remote.SSH.serverInstallPath": {}
[17:55:07.596] SSH Resolver called for host: davidbakin-bitcoin-wz5rp7fz2le
[17:55:07.596] Setting up SSH remote "davidbakin-bitcoin-wz5rp7fz2le"
[17:55:07.602] Using commit id "8dfae7a5cd50421d10cd99cb873990460525a898" and quality "stable" for server
[17:55:07.607] Install and start server if needed
[17:55:09.233] Checking ssh with "ssh -V"
[17:55:09.300] > OpenSSH_for_Windows_8.1p1, LibreSSL 3.0.2

[17:55:09.306] Using SSH config file "C:\TEMP\gitpod_ssh_config-1848-5ifiYuzq61xB"
[17:55:09.307] Running script with connection command: ssh -T -D 50093 -F "C:\TEMP\gitpod_ssh_config-1848-5ifiYuzq61xB" "davidbakin-bitcoin-wz5rp7fz2le" bash
[17:55:09.311] Terminal shell path: C:\WINDOWS\System32\cmd.exe
[17:55:09.607] > �]0;C:\WINDOWS\System32\cmd.exe�
[17:55:09.607] Got some output, clearing connection timeout
[17:55:09.762] > @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
[17:55:09.773] > @         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
> @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
> Permissions for 'C:\\TEMP\\gitpod_9bdeaba7-6c7d-481f-b2da-abeda168eac4_id_rsa' are too open.
> It is required that your private key files are NOT accessible by others.
> This private key will be ignored.
> Load key "C:\\TEMP\\gitpod_9bdeaba7-6c7d-481f-b2da-abeda168eac4_id_rsa": bad permissions
> [email protected]: Permission denied (publickey).
> The process tried to write to a nonexistent pipe.
[17:55:11.045] "install" terminal command done
[17:55:11.045] Install terminal quit with output: [email protected]: Permission denied (publickey).
[17:55:11.045] Received install output: [email protected]: Permission denied (publickey).
[17:55:11.050] Resolver error: Error: Permission denied (publickey).
	at Function.Create (C:\Users\David\scoop\persist\vscode\data\extensions\ms-vscode-remote.remote-ssh-0.78.0\out\extension.js:1:586041)
	at C:\Users\David\scoop\persist\vscode\data\extensions\ms-vscode-remote.remote-ssh-0.78.0\out\extension.js:1:584092
	at Object.t.handleInstallOutput (C:\Users\David\scoop\persist\vscode\data\extensions\ms-vscode-remote.remote-ssh-0.78.0\out\extension.js:1:584615)
	at Object.t.tryInstall (C:\Users\David\scoop\persist\vscode\data\extensions\ms-vscode-remote.remote-ssh-0.78.0\out\extension.js:1:681924)
	at processTicksAndRejections (node:internal/process/task_queues:96:5)
	at async C:\Users\David\scoop\persist\vscode\data\extensions\ms-vscode-remote.remote-ssh-0.78.0\out\extension.js:1:644564
	at async Object.t.withShowDetailsEvent (C:\Users\David\scoop\persist\vscode\data\extensions\ms-vscode-remote.remote-ssh-0.78.0\out\extension.js:1:647909)
	at async Object.t.resolve (C:\Users\David\scoop\persist\vscode\data\extensions\ms-vscode-remote.remote-ssh-0.78.0\out\extension.js:1:645643)
	at async C:\Users\David\scoop\persist\vscode\data\extensions\ms-vscode-remote.remote-ssh-0.78.0\out\extension.js:1:722950
[17:55:11.057] ------

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.