Unfortunately, 0750 is considered a too-open set of permissions (at least under
Ubuntu 9.04).
Here's what SSH man page explains:
[...] ~/.ssh/identity ~/.ssh/id_dsa ~/.ssh/id_rsa
Contains the private key for authentication. These files contain sensitive data
and should be readable by the user but not accessible by others
(read/write/execute). ssh will simply ignore a private key file if it is
accessible by others. [...]
Here's a job output after upgrading Hudson to 1.323 (and former ones):
[...] A SCM change trigger started this job
cvs -q -z3 update -PdC -D "Monday, September 7, 2009 11:01:09 AM UTC"
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: UNPROTECTED PRIVATE KEY FILE! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0750 for '/var/lib/hudson/.ssh/id_rsa' are too open.
It is recommended that your private key files are NOT accessible by others.
This private key will be ignored.
bad permissions: ignore key: /var/lib/hudson/.ssh/id_rsa
Permission denied, please try again.
Permission denied, please try again.
Permission denied (publickey,gssapi-with-mic,password).
cvs [update aborted]: end of file from server (consult above messages if any)
FATAL: CVS failed. exit code=1
Sending e-mails to: john@doe.com
Finished: FAILURE
Could you please use 0700 instead of 0750?
Regards,
Regis
Code changed in hudson
User: : kohsuke
Path:
trunk/www/changelog.html
http://fisheye4.cenqua.com/changelog/hudson/?cs=19872
Log:
[FIXED JENKINS-4047] Fixed the permission to 750. I believe go-w is all ssh needs for ancestor directoreis.