I'm trying to move from using Powershell to Bash on Windows (Windows Subsystem for Linux or WSL). For the purpose of using GIT, I've set up my SSH keys in C:/Users/User/.ssh. I then logged into Bash, and created a symlink ln -s /mnt/c/Users/User/.ssh/ ~/.ssh/ in order to (in theory) use the same ssh keys from both shells.
When running git, however, I always get an error: Bad owner or permissions on /home/user/.ssh/config. What am I doing wrong?
To build on @ChadT's helpful answer, here's what worked for me.
Open your distro, and create or modify the /etc/wsl.conf file to include the automount options below:
$ cat /etc/wsl.conf
[automount]
options = "metadata,umask=022,fmask=111"
These options ensure that files in the mounted system are given proper user and group ownership, and that they have sensible default permissions (as opposed to everything getting 777).
Close the distro, wait about 8 seconds for the background subsystem to stop running, and reopen the distro.
Navigate to your mounted C: drive at /mnt/c/Users/<user>, and set the proper permissions on the .ssh directory and key files, as required by SSH:
$ cd /mnt/c/Users/<user>
$ chmod 700 .ssh
$ chmod 600 .ssh/id_rsa
$ chmod 644 .ssh/id_rsa.pub
Finally, navigate to your distro's home drive, backup or remove any existing .ssh directory, and create a symlink back to your C: drive's .ssh directory:
$ cd ~
$ mv .ssh .ssh_orig
$ ln -s /mnt/c/Users/plw1845/.ssh/ .ssh
You should now be able to fully share your Windows SSH config, hosts, and keys with your WSL distro, while maintaining them in a single place.
Here's a solution which mounts the .ssh directory directly and doesn't require changing /etc/wsl.conf to enable the metadata option (which can be a bit heavyweight, in my opinion).
By default, most/all Linux distros read and process the fstab file on startup, to automatically mount filesystems. WSL 2 does so as well. And since Windows drives and folders can be mounted directly in WSL using DrvFs, we can combine them to automatically sync the .ssh directory between OSes.
Open your Linux distro and edit the /etc/fstab file as root (e.g. with sudo nano /etc/fstab). Add the following line at the end:
C:\Users\<your Windows username>\.ssh\ /home/<your Linux username>/.ssh drvfs rw,noatime,uid=1000,gid=1000,case=off,umask=0077,fmask=0177 0 0
where you've replaced <your Windows username> and <your Linux username> appropriately. The other mount flags will ensure the permissions on the .ssh directory are correct. Then restart your WSL distro and voilĂ , all your SSH keys and config will be automagically available in Linux. Any changes will be synchronized.
Based on solution from Gabriel Majeri, perform the following script in your WSL distro:
# Create .ssh directory in home directory with proper permission
mkdir -m 700 ~/.ssh
Get Windows user name
WINUSER=cmd.exe /c 'echo %USERNAME%' | tr -d '\r'
Add a permanent mount entry for Windows user .ssh directory
cat << EOF | sudo tee -a /etc/fstab
C:\Users\$WINUSER.ssh\ /home/$USER/.ssh drvfs rw,noatime,uid=id -u,gid=id -g,case=off,umask=0077,fmask=0177 0 0
EOF
Mount the .ssh
sudo mount /home/$USER/.ssh
You need to mount your windows filesystem using the DrvFS file system with the metadata option which allows Linux permissions to coexist with Windows files by storing them in file metadata.
sudo umount /mnt/c
sudo mount -t drvfs C: /mnt/c -o metadata
This will allow you to use your SSH Keys across both Operating Systems.
Further reading: https://blogs.msdn.microsoft.com/commandline/2018/01/12/chmod-chown-wsl-improvements/
And yet more reading on how to configure WSL to apply this setting everytime it starts:
https://blogs.msdn.microsoft.com/commandline/2018/02/07/automatically-configuring-wsl/
What am I doing wrong?
SSH requires sane permissions on the private keys and you are not able to achieve that while symlinking to different filesystem (windows). The manual page for ssh explains that quite clearly:
~/.ssh/id_rsaContains the private key for authentication. These files contain sensitive data and should be readable by the user but not accessible by others (read/write/execute). ssh will simply ignore a private key file if it is accessible by others.
You can most probably copy the private keys and set appropriate permissions, if you want to "share the keys".
You can copy your Windows .ssh folder into WSL. Mount the C:/ drive to WSL, then put the following in your ~/.bashrc
# Copy .ssh folder from G:\ to WSL and set correct access.
# The access is important, because extra access on config file
# will prevent it from working.
rm -rf ~/.ssh_new
cp -r /mnt/g/.ssh ~/.ssh_new \
&& chmod 400 ~/.ssh_new/*.ppk \
&& chmod 600 ~/.ssh_new/config \
&& chmod 644 ~/.ssh_new/known_hosts \
&& chmod 644 ~/.ssh_new/*.pub \
&& chmod 700 ~/.ssh_new/ \
&& HOME=$(pwd) \
&& wsl.exe -u root /bin/sh -c "rm -rf $HOME/.ssh" \
&& mv ~/.ssh_new ~/.ssh
This assumes that your public keys end in .pub and your private keys end in .ppk. You can modify the command according to your needs.
Running the above from your .bashrc will work when opening an instance of WSL, but it will fail when opening a WSL-connected terminal via Visual Studio Code. I think VSCode has a protection that prevents privilege escalation via wsl.exe -u root.
An alternative is to use a script and run it manually when you need to update the .ssh folder.
#!/bin/bash
USER_HOME=$(getent passwd $SUDO_USER | cut -d: -f6)
Copy .ssh folder from G:\ to WSL and set correct access.
The access is important, because extra access on config file
will prevent it from working.
cd $USER_HOME
rm -rf ./.ssh_new
cp -r /mnt/g/.ssh ./.ssh_new
&& chown -R $SUDO_USER:$SUDO_USER ./.ssh_new
&& chmod 400 ./.ssh_new/.ppk
&& chmod 600 ./.ssh_new/config
&& chmod 644 ./.ssh_new/known_hosts
&& chmod 644 ./.ssh_new/.pub
&& chmod 755 ./.ssh_new/
&& rm -rf ./.ssh
&& mv ./.ssh_new ./.ssh
