rpms/openssh
7
0
Fork 1
Code Issues Pull Requests Releases Activity
6f7c765ed4
openssh/ssh-host-keys-migration.sh

37 lines
1.7 KiB
Bash
Raw Normal View History

Use a service unit to strip ssh_keys group from host keys (rhbz#2172956) Use a systemd service unit to strip the ssh_keys group and change the mode for host keys. This ensure that this migration is done right before the openssh server startup on all kind of systems, either RPM or rpm-ostree based. Use a marker file to only do this once. We need to keep this service unit for two Fedora releases so we will be able to remove it in Fedora 40. See: https://fedoraproject.org/wiki/Changes/SSHKeySignSuidBit Fixes: 7a21555 Get rid of ssh_keys group for new installations Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2172956 Co-authored-by: Timothée Ravier <tim@siosm.fr>
2023-01-30 15:01:17 +00:00
#!/usr/bin/bash
set -eu -o pipefail
# Detect existing non-conforming host keys and perform the permissions migration
# https://fedoraproject.org/wiki/Changes/SSHKeySignSuidBit
#
# Example output looks like:
# @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
# @ WARNING: UNPROTECTED PRIVATE KEY FILE! @
# @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
# Permissions 0640 for '/etc/ssh/ssh_host_rsa_key' are too open.
# It is required that your private key files are NOT accessible by others.
# This private key will be ignored.
# @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
# @ WARNING: UNPROTECTED PRIVATE KEY FILE! @
# @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
# Permissions 0640 for '/etc/ssh/ssh_host_ecdsa_key' are too open.
# It is required that your private key files are NOT accessible by others.
# This private key will be ignored.
# @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
# @ WARNING: UNPROTECTED PRIVATE KEY FILE! @
# @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
# Permissions 0640 for '/etc/ssh/ssh_host_ed25519_key' are too open.
# It is required that your private key files are NOT accessible by others.
# This private key will be ignored.
# sshd: no hostkeys available -- exiting.
#
output="$(sshd -T 2>&1 || true)" # expected to fail
Make ssh-host key migration less conditional If there is a case where some host keys don't have correct permissions then they won't get migrated. Let's make the migration script attempt migration for the rest of the keys too.
2023-03-06 03:51:10 +00:00
while read line; do
if [[ $line =~ ^Permissions\ [0-9]+\ for\ \'(.*)\'\ are\ too\ open. ]]; then
keyfile=${BASH_REMATCH[1]}
echo $line
echo -e "\t-> changing permissions on $keyfile"
chmod --verbose g-r $keyfile
chown --verbose root:root $keyfile
fi
done <<< "$output"
Reference in New Issue Copy Permalink