Safe login on OS X: using an SSH key from a USB key/thumbdrive

I like computer security to be EASY and SECURE.

I hate passwords, and I use them rarely if at all. Instead, I use digital keys as much as possible (i.e. something based on a physical key stored on a removable USB drive that I take with me wherever I go). Like using a physical key, it’s much easier.

Sadly, OS X has a version of SSH that tries to be “too clever” while actually being “annoyingly unhelpful”. If you attempt to use a key from a removable drive, you get this error message:

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: UNPROTECTED PRIVATE KEY FILE! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0777 for ‘login-key-for-tmachine.ssh’ are too open.
It is recommended that your private key files are NOT accessible by others.
This private key will be ignored.
bad permissions: ignore key: (key-name)
Permission denied (publickey).

(emphasis mine).

While it’s delightfully verbose, and tells you exactly what’s happened, it’s also a bit misleading. It says “WARNING” when it actually means “ERROR”, since the ssh system at this point deliberately stops itself. But, more importantly, it’s an error that you cannot evade under OS X. With OS X, all removable media has “Permissions 0777”.

Fortunately, there’s a workaround. Using this good but not-quite-detailed-enough article, I got most of the way there.

I had two problems, things that article omits.

Firstly, you are no longer “allowed” to edit /etc/fstab on OS X. Don’t try it. Instead, there’s a new command-line editor called “vifs” (hmm. vi-for-fstab, perhaps? :)) which works fine.

Secondly, the USB Drive I’m using has a space in the Label name. /etc/fstab uses spaces as a reserved character (I knew this), but … what do you write instead? (I didn’t know this).

I tried (and failed with):

  1. “My Drive”
  2. My\ Drive
  3. My Drive

…and with some creative googling, eventually found an example fstab with spaces in a label name. Aha!

  1. My\040Drive

i.e. replace spaces with “\040” (I’m guessing because it’s so low-level they’ve decided to “assume” unicode in all escape sequences)

…and now it all works as intended. Yay.

4 thoughts on “Safe login on OS X: using an SSH key from a USB key/thumbdrive”

Comments are closed.