Skip to content

Set SSH private key file permissions to 0600 #1769

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
rabi wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Set SSH private key file permissions to 0600 #1769

rabi wants to merge 1 commit into from
+51 −48

Conversation

@rabi
Copy link
Contributor

@rabi rabi commented Jan 21, 2026
edited
Loading

OpenSSH requires private keys to have mode 0600 when the file owner matches the process UID. With restricted-v2 SCC (default), the process runs as a random UID different from the file owner, so OpenSSH skips the check. But when using NFS mounts for development (hostmount-anyuid SCC), ansible-ee containers run as root which matches the key file
owner, triggering the strict permission check.

Set defaultMode to 384 (0600) for SSH key volumes to ensure OpenSSH accepts the key.

@openshift-ci openshift-ci bot requested review from dprince and rebtoor January 21, 2026 03:36
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Jan 21, 2026

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: rabi

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@rabi
Set SSH private key file permissions to 0600
5b079b3 
OpenSSH requires private keys to have mode 0600 when the file owner
matches the process UID. With restricted-v2 SCC (default), the process
runs as a random UID different from the file owner, so OpenSSH skips
the check. But when using NFS mounts for development (hostmount-anyuid
SCC), ansible-ee containers run as root which matches the key file
owner, triggering the strict permission check.

Set defaultMode to 384 (0600) for SSH key volumes to ensure OpenSSH
accepts the key.

Signed-off-by: rabi <[email protected]>
@rabi
Copy link
Contributor Author

rabi commented Jan 21, 2026

/test functional

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dprince dprince Awaiting requested review from dprince

@rebtoor rebtoor Awaiting requested review from rebtoor

Assignees

No one assigned

Labels

approved

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@rabi