-
Notifications
You must be signed in to change notification settings - Fork 174
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Change Host Private Key Permissions to 600 #6842
base: master
Are you sure you want to change the base?
Conversation
Moving this PR to the next release until we can better understand which versions of OpenSSH require private keys with 0640 vs 0600 permissions. |
From /etc/ssh/ssh_host_ecdsa_key Looks like similar language is in the manual going back to version BSD version 3.0 which I think corresponds to OpenSSH Version ~2. I haven't been able to find when exactly they introduced the error behavior, however. It looks like group permissions were just strongly encouraged up until relatively recently or it's a whacky RedHat patch. |
Some more interesting information: https://bugzilla.redhat.com/show_bug.cgi?id=1801459 Sounds like 0640 will be acceptable if the group is ssh-keys. I don't have a way to verify this behavior at present. Does someone have a RHEL 7 image they can experiment with? Otherwise, I can try to do it in the next week or two? |
@nealep The current behavior was due to this issue: #2617 Given that different versions of OpenSSH require different ownership and permissions, a more reliable approach might be to generate a temporary host private key on the compute node to determine the group and permissions that are expected by the installed version of OpenSSH, then copy the correct keys over and set the ownership and permissions to match those of the temporary key. This is the approach I would like to explore next, when time permits. |
An xCAT management node has two sets of host keys, one under /etc/ssh and the other /etc/xcat/hostkeys. The SECOND set of host keys is distributed to /etc/ssh of each compute node by /install/postscripts/remoteshell. In March 2017, PR 2724 fix issue Wrong permissions for ssh host private keys on CentOS 7 #2617 modified the permission of the host keys from 600 to 640 and replaced their group ownership from root to ssh_keys on compute nodes where Group ssh_keys is defined. Only CentOS and RHEL have ssh_keys defined. Since the releases CentOS 7.0 and RHEL 7.0 in 2014, the host keys have been set to have Permission 640 and Group ssh_keys by sshd-keygen. sshd-keygen is a script only available on CentOS and RHEL and packaged in openssh-server. It calls ssh-keygen to create keys and then sets the above permission and group ownership. Here is /usr/libexec/openssh/sshd-keygen of RHEL 8.2, with openssh-server-8.0p1-4.el8_1.ppc64le.
The information given by nealep on sshd for OpenSSH Version 8.4 is likely for ssh-keygen. sshd-keygen of CentOS and RHEL makes use of ssh-keygen with added requirements as described above. We know xCAT distributes a common set of host keys to all compute nodes; CentOS and RHEL require Permission 640 and Group ssh_keys for them; the fixes in PR 2724 was to comply with those requirements. We still need this compliance today. |
|
This PR is duplicated with #6833
@nealep is processing the CCLA. In the meantime, I am making a duplicate PR to check in his fixes.