You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The ops unwrap command produces unreadable files because it unsets all filemode bits.
❯ ziti ops unwrap ./kenadmin-cert.json
❯ ls -lh kenadmin-cert*
-rw-rw-r-- 1 kbingham kbingham 9.6K May 15 15:11 kenadmin-cert.json
---------- 1 kbingham kbingham 3.2K May 15 15:12 kenadmin-cert.key
---------- 1 kbingham kbingham 2.0K May 15 15:12 kenadmin-cert.cert
---------- 1 kbingham kbingham 4.1K May 15 15:12 kenadmin-cert.ca
The workaround is to set u=rw on these files. The ziti edge enroll command doesn't unset any filemode bits, obeying the umask, so it's a good idea to unset go-rwx on that enrolled identity JSON file too.
❯ chmod -c 0600 kenadmin-cert*
mode of 'kenadmin-cert.ca' changed from 0500 (r-x------) to 0600 (rw-------)
mode of 'kenadmin-cert.cert' changed from 0500 (r-x------) to 0600 (rw-------)
mode of 'kenadmin-cert.json' changed from 0664 (rw-rw-r--) to 0600 (rw-------)
mode of 'kenadmin-cert.key' changed from 0500 (r-x------) to 0600 (rw-------)
This unwrap command might still be useful, but it would be ideal if we could log in with a standard Ziti identity file without first unwrapping it: #1730
The text was updated successfully, but these errors were encountered:
The
ops unwrapcommand produces unreadable files because it unsets all filemode bits.❯ ziti ops unwrap ./kenadmin-cert.json ❯ ls -lh kenadmin-cert* -rw-rw-r-- 1 kbingham kbingham 9.6K May 15 15:11 kenadmin-cert.json ---------- 1 kbingham kbingham 3.2K May 15 15:12 kenadmin-cert.key ---------- 1 kbingham kbingham 2.0K May 15 15:12 kenadmin-cert.cert ---------- 1 kbingham kbingham 4.1K May 15 15:12 kenadmin-cert.caThe workaround is to set u=rw on these files. The
ziti edge enrollcommand doesn't unset any filemode bits, obeying the umask, so it's a good idea to unset go-rwx on that enrolled identity JSON file too.This unwrap command might still be useful, but it would be ideal if we could log in with a standard Ziti identity file without first unwrapping it: #1730
The text was updated successfully, but these errors were encountered: