Use a service unit to strip ssh_keys group from host keys (rhbz#2172956)

Use a systemd service unit to strip the ssh_keys group and change the
mode for host keys. This ensure that this migration is done right before
the openssh server startup on all kind of systems, either RPM or
rpm-ostree based.

Use a marker file to only do this once. We need to keep this service
unit for two Fedora releases so we will be able to remove it in Fedora
40.

See: https://fedoraproject.org/wiki/Changes/SSHKeySignSuidBit
Fixes: 7a21555 Get rid of ssh_keys group for new installations
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2172956

Co-authored-by: Timothée Ravier <tim@siosm.fr>
This commit is contained in:
Dusty Mabe 2023-01-30 16:01:17 +01:00
parent 937ee4760a
commit 08d842d5e8
No known key found for this signature in database
GPG Key ID: 3302DBD73952E671
3 changed files with 74 additions and 6 deletions

View File

@ -47,7 +47,7 @@
# Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1 # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
%global openssh_ver 9.0p1 %global openssh_ver 9.0p1
%global openssh_rel 10 %global openssh_rel 11
%global pam_ssh_agent_ver 0.10.4 %global pam_ssh_agent_ver 0.10.4
%global pam_ssh_agent_rel 7 %global pam_ssh_agent_rel 7
@ -74,6 +74,8 @@ Source15: sshd-keygen.target
Source16: ssh-agent.service Source16: ssh-agent.service
Source17: ssh-agent.socket Source17: ssh-agent.socket
Source19: openssh-server-systemd-sysusers.conf Source19: openssh-server-systemd-sysusers.conf
Source20: ssh-host-keys-migration.sh
Source21: ssh-host-keys-migration.service
#https://bugzilla.mindrot.org/show_bug.cgi?id=2581 #https://bugzilla.mindrot.org/show_bug.cgi?id=2581
Patch100: openssh-6.7p1-coverity.patch Patch100: openssh-6.7p1-coverity.patch
@ -582,6 +584,10 @@ install -m755 contrib/ssh-copy-id $RPM_BUILD_ROOT%{_bindir}/
install contrib/ssh-copy-id.1 $RPM_BUILD_ROOT%{_mandir}/man1/ install contrib/ssh-copy-id.1 $RPM_BUILD_ROOT%{_mandir}/man1/
install -d -m711 ${RPM_BUILD_ROOT}/%{_datadir}/empty.sshd install -d -m711 ${RPM_BUILD_ROOT}/%{_datadir}/empty.sshd
install -p -D -m 0644 %{SOURCE19} %{buildroot}%{_sysusersdir}/openssh-server.conf install -p -D -m 0644 %{SOURCE19} %{buildroot}%{_sysusersdir}/openssh-server.conf
# Migration service/script for Fedora 38 change to remove group ownership for standard host keys
# See https://fedoraproject.org/wiki/Changes/SSHKeySignSuidBit
install -m744 %{SOURCE20} $RPM_BUILD_ROOT/%{_libexecdir}/openssh/ssh-host-keys-migration.sh
install -m644 %{SOURCE21} $RPM_BUILD_ROOT/%{_unitdir}/ssh-host-keys-migration.service # enabled in 90-default.preset
%if ! %{no_gnome_askpass} %if ! %{no_gnome_askpass}
install contrib/gnome-ssh-askpass $RPM_BUILD_ROOT%{_libexecdir}/openssh/gnome-ssh-askpass install contrib/gnome-ssh-askpass $RPM_BUILD_ROOT%{_libexecdir}/openssh/gnome-ssh-askpass
@ -608,13 +614,16 @@ popd
%pre server %pre server
%sysusers_create_compat %{SOURCE19} %sysusers_create_compat %{SOURCE19}
# Migration scriptlet for Fedora 38/39
# We want to remove group ownership for standard host keys if they exist
test -f /etc/ssh/ssh_host_rsa_key && /usr/bin/chmod g-r /etc/ssh/ssh_host_rsa_key || :
test -f /etc/ssh/ssh_host_ecdsa_key && /usr/bin/chmod g-r /etc/ssh/ssh_host_ecdsa_key || :
test -f /etc/ssh/ssh_host_ed25519_key && /usr/bin/chmod g-r /etc/ssh/ssh_host_ed25519_key || :
%post server %post server
if [ $1 -gt 1 ]; then
# In the case of an upgrade (never true on OSTree systems) run the migration
# script for Fedora 38 to remove group ownership for host keys.
%{_libexecdir}/openssh/ssh-host-keys-migration.sh
# Prevent the systemd unit that performs the same service (useful for
# OSTree systems) from running.
touch /var/lib/.ssh-host-keys-migration
fi
%systemd_post sshd.service sshd.socket %systemd_post sshd.service sshd.socket
# Migration scriptlet for Fedora 31 and 32 installations to sshd_config # Migration scriptlet for Fedora 31 and 32 installations to sshd_config
# drop-in directory (in F32+). # drop-in directory (in F32+).
@ -699,6 +708,8 @@ test -f %{sysconfig_anaconda} && \
%attr(0644,root,root) %{_unitdir}/sshd-keygen@.service %attr(0644,root,root) %{_unitdir}/sshd-keygen@.service
%attr(0644,root,root) %{_unitdir}/sshd-keygen.target %attr(0644,root,root) %{_unitdir}/sshd-keygen.target
%attr(0644,root,root) %{_sysusersdir}/openssh-server.conf %attr(0644,root,root) %{_sysusersdir}/openssh-server.conf
%attr(0644,root,root) %{_unitdir}/ssh-host-keys-migration.service
%attr(0744,root,root) %{_libexecdir}/openssh/ssh-host-keys-migration.sh
%files keycat %files keycat
%doc HOWTO.ssh-keycat %doc HOWTO.ssh-keycat
@ -720,6 +731,10 @@ test -f %{sysconfig_anaconda} && \
%endif %endif
%changelog %changelog
* Wed Mar 01 2023 Dusty Mabe <dusty@dustymabe.com> - 9.0p1-11
- Provide a systemd unit for restoring default host key permissions (rhbz#2172956)
- Co-Authored by Timothée Ravier <tim@siosm.fr>
* Mon Jan 23 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 9.0p1-10 * Mon Jan 23 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 9.0p1-10
- Restore upstream behaviour and default host key permissions (rhbz#2141272) - Restore upstream behaviour and default host key permissions (rhbz#2141272)

View File

@ -0,0 +1,15 @@
[Unit]
Description=Update OpenSSH host key permissions
Documentation=https://fedoraproject.org/wiki/Changes/SSHKeySignSuidBit
Before=sshd.service
After=ssh-keygen.target
ConditionPathExists=!/var/lib/.ssh-host-keys-migration
[Service]
Type=oneshot
ExecStart=-/usr/libexec/openssh/ssh-host-keys-migration.sh
ExecStart=touch /var/lib/.ssh-host-keys-migration
RemainAfterExit=yes
[Install]
WantedBy=sshd.service

View File

@ -0,0 +1,38 @@
#!/usr/bin/bash
set -eu -o pipefail
# Detect existing non-conforming host keys and perform the permissions migration
# https://fedoraproject.org/wiki/Changes/SSHKeySignSuidBit
#
# Example output looks like:
# @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
# @ WARNING: UNPROTECTED PRIVATE KEY FILE! @
# @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
# Permissions 0640 for '/etc/ssh/ssh_host_rsa_key' are too open.
# It is required that your private key files are NOT accessible by others.
# This private key will be ignored.
# @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
# @ WARNING: UNPROTECTED PRIVATE KEY FILE! @
# @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
# Permissions 0640 for '/etc/ssh/ssh_host_ecdsa_key' are too open.
# It is required that your private key files are NOT accessible by others.
# This private key will be ignored.
# @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
# @ WARNING: UNPROTECTED PRIVATE KEY FILE! @
# @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
# Permissions 0640 for '/etc/ssh/ssh_host_ed25519_key' are too open.
# It is required that your private key files are NOT accessible by others.
# This private key will be ignored.
# sshd: no hostkeys available -- exiting.
#
output="$(sshd -T 2>&1 || true)" # expected to fail
if grep -q "sshd: no hostkeys available" <<< "$output"; then
while read line; do
if [[ $line =~ ^Permissions\ [0-9]+\ for\ \'(.*)\'\ are\ too\ open. ]]; then
keyfile=${BASH_REMATCH[1]}
echo $line
echo -e "\t-> changing permissions on $keyfile"
chmod --verbose g-r $keyfile
chown --verbose root:root $keyfile
fi
done <<< "$output"
fi