Use a service unit to strip ssh_keys group from host keys (rhbz#2172956)
Use a systemd service unit to strip the ssh_keys group and change the
mode for host keys. This ensure that this migration is done right before
the openssh server startup on all kind of systems, either RPM or
rpm-ostree based.
Use a marker file to only do this once. We need to keep this service
unit for two Fedora releases so we will be able to remove it in Fedora
40.
See: https://fedoraproject.org/wiki/Changes/SSHKeySignSuidBit
Fixes: 7a21555
Get rid of ssh_keys group for new installations
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2172956
Co-authored-by: Timothée Ravier <tim@siosm.fr>
This commit is contained in:
parent
937ee4760a
commit
08d842d5e8
27
openssh.spec
27
openssh.spec
@ -47,7 +47,7 @@
|
|||||||
|
|
||||||
# Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
|
# Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
|
||||||
%global openssh_ver 9.0p1
|
%global openssh_ver 9.0p1
|
||||||
%global openssh_rel 10
|
%global openssh_rel 11
|
||||||
%global pam_ssh_agent_ver 0.10.4
|
%global pam_ssh_agent_ver 0.10.4
|
||||||
%global pam_ssh_agent_rel 7
|
%global pam_ssh_agent_rel 7
|
||||||
|
|
||||||
@ -74,6 +74,8 @@ Source15: sshd-keygen.target
|
|||||||
Source16: ssh-agent.service
|
Source16: ssh-agent.service
|
||||||
Source17: ssh-agent.socket
|
Source17: ssh-agent.socket
|
||||||
Source19: openssh-server-systemd-sysusers.conf
|
Source19: openssh-server-systemd-sysusers.conf
|
||||||
|
Source20: ssh-host-keys-migration.sh
|
||||||
|
Source21: ssh-host-keys-migration.service
|
||||||
|
|
||||||
#https://bugzilla.mindrot.org/show_bug.cgi?id=2581
|
#https://bugzilla.mindrot.org/show_bug.cgi?id=2581
|
||||||
Patch100: openssh-6.7p1-coverity.patch
|
Patch100: openssh-6.7p1-coverity.patch
|
||||||
@ -582,6 +584,10 @@ install -m755 contrib/ssh-copy-id $RPM_BUILD_ROOT%{_bindir}/
|
|||||||
install contrib/ssh-copy-id.1 $RPM_BUILD_ROOT%{_mandir}/man1/
|
install contrib/ssh-copy-id.1 $RPM_BUILD_ROOT%{_mandir}/man1/
|
||||||
install -d -m711 ${RPM_BUILD_ROOT}/%{_datadir}/empty.sshd
|
install -d -m711 ${RPM_BUILD_ROOT}/%{_datadir}/empty.sshd
|
||||||
install -p -D -m 0644 %{SOURCE19} %{buildroot}%{_sysusersdir}/openssh-server.conf
|
install -p -D -m 0644 %{SOURCE19} %{buildroot}%{_sysusersdir}/openssh-server.conf
|
||||||
|
# Migration service/script for Fedora 38 change to remove group ownership for standard host keys
|
||||||
|
# See https://fedoraproject.org/wiki/Changes/SSHKeySignSuidBit
|
||||||
|
install -m744 %{SOURCE20} $RPM_BUILD_ROOT/%{_libexecdir}/openssh/ssh-host-keys-migration.sh
|
||||||
|
install -m644 %{SOURCE21} $RPM_BUILD_ROOT/%{_unitdir}/ssh-host-keys-migration.service # enabled in 90-default.preset
|
||||||
|
|
||||||
%if ! %{no_gnome_askpass}
|
%if ! %{no_gnome_askpass}
|
||||||
install contrib/gnome-ssh-askpass $RPM_BUILD_ROOT%{_libexecdir}/openssh/gnome-ssh-askpass
|
install contrib/gnome-ssh-askpass $RPM_BUILD_ROOT%{_libexecdir}/openssh/gnome-ssh-askpass
|
||||||
@ -608,13 +614,16 @@ popd
|
|||||||
|
|
||||||
%pre server
|
%pre server
|
||||||
%sysusers_create_compat %{SOURCE19}
|
%sysusers_create_compat %{SOURCE19}
|
||||||
# Migration scriptlet for Fedora 38/39
|
|
||||||
# We want to remove group ownership for standard host keys if they exist
|
|
||||||
test -f /etc/ssh/ssh_host_rsa_key && /usr/bin/chmod g-r /etc/ssh/ssh_host_rsa_key || :
|
|
||||||
test -f /etc/ssh/ssh_host_ecdsa_key && /usr/bin/chmod g-r /etc/ssh/ssh_host_ecdsa_key || :
|
|
||||||
test -f /etc/ssh/ssh_host_ed25519_key && /usr/bin/chmod g-r /etc/ssh/ssh_host_ed25519_key || :
|
|
||||||
|
|
||||||
%post server
|
%post server
|
||||||
|
if [ $1 -gt 1 ]; then
|
||||||
|
# In the case of an upgrade (never true on OSTree systems) run the migration
|
||||||
|
# script for Fedora 38 to remove group ownership for host keys.
|
||||||
|
%{_libexecdir}/openssh/ssh-host-keys-migration.sh
|
||||||
|
# Prevent the systemd unit that performs the same service (useful for
|
||||||
|
# OSTree systems) from running.
|
||||||
|
touch /var/lib/.ssh-host-keys-migration
|
||||||
|
fi
|
||||||
%systemd_post sshd.service sshd.socket
|
%systemd_post sshd.service sshd.socket
|
||||||
# Migration scriptlet for Fedora 31 and 32 installations to sshd_config
|
# Migration scriptlet for Fedora 31 and 32 installations to sshd_config
|
||||||
# drop-in directory (in F32+).
|
# drop-in directory (in F32+).
|
||||||
@ -699,6 +708,8 @@ test -f %{sysconfig_anaconda} && \
|
|||||||
%attr(0644,root,root) %{_unitdir}/sshd-keygen@.service
|
%attr(0644,root,root) %{_unitdir}/sshd-keygen@.service
|
||||||
%attr(0644,root,root) %{_unitdir}/sshd-keygen.target
|
%attr(0644,root,root) %{_unitdir}/sshd-keygen.target
|
||||||
%attr(0644,root,root) %{_sysusersdir}/openssh-server.conf
|
%attr(0644,root,root) %{_sysusersdir}/openssh-server.conf
|
||||||
|
%attr(0644,root,root) %{_unitdir}/ssh-host-keys-migration.service
|
||||||
|
%attr(0744,root,root) %{_libexecdir}/openssh/ssh-host-keys-migration.sh
|
||||||
|
|
||||||
%files keycat
|
%files keycat
|
||||||
%doc HOWTO.ssh-keycat
|
%doc HOWTO.ssh-keycat
|
||||||
@ -720,6 +731,10 @@ test -f %{sysconfig_anaconda} && \
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Wed Mar 01 2023 Dusty Mabe <dusty@dustymabe.com> - 9.0p1-11
|
||||||
|
- Provide a systemd unit for restoring default host key permissions (rhbz#2172956)
|
||||||
|
- Co-Authored by Timothée Ravier <tim@siosm.fr>
|
||||||
|
|
||||||
* Mon Jan 23 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 9.0p1-10
|
* Mon Jan 23 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 9.0p1-10
|
||||||
- Restore upstream behaviour and default host key permissions (rhbz#2141272)
|
- Restore upstream behaviour and default host key permissions (rhbz#2141272)
|
||||||
|
|
||||||
|
15
ssh-host-keys-migration.service
Normal file
15
ssh-host-keys-migration.service
Normal file
@ -0,0 +1,15 @@
|
|||||||
|
[Unit]
|
||||||
|
Description=Update OpenSSH host key permissions
|
||||||
|
Documentation=https://fedoraproject.org/wiki/Changes/SSHKeySignSuidBit
|
||||||
|
Before=sshd.service
|
||||||
|
After=ssh-keygen.target
|
||||||
|
ConditionPathExists=!/var/lib/.ssh-host-keys-migration
|
||||||
|
|
||||||
|
[Service]
|
||||||
|
Type=oneshot
|
||||||
|
ExecStart=-/usr/libexec/openssh/ssh-host-keys-migration.sh
|
||||||
|
ExecStart=touch /var/lib/.ssh-host-keys-migration
|
||||||
|
RemainAfterExit=yes
|
||||||
|
|
||||||
|
[Install]
|
||||||
|
WantedBy=sshd.service
|
38
ssh-host-keys-migration.sh
Normal file
38
ssh-host-keys-migration.sh
Normal file
@ -0,0 +1,38 @@
|
|||||||
|
#!/usr/bin/bash
|
||||||
|
set -eu -o pipefail
|
||||||
|
# Detect existing non-conforming host keys and perform the permissions migration
|
||||||
|
# https://fedoraproject.org/wiki/Changes/SSHKeySignSuidBit
|
||||||
|
#
|
||||||
|
# Example output looks like:
|
||||||
|
# @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
|
||||||
|
# @ WARNING: UNPROTECTED PRIVATE KEY FILE! @
|
||||||
|
# @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
|
||||||
|
# Permissions 0640 for '/etc/ssh/ssh_host_rsa_key' are too open.
|
||||||
|
# It is required that your private key files are NOT accessible by others.
|
||||||
|
# This private key will be ignored.
|
||||||
|
# @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
|
||||||
|
# @ WARNING: UNPROTECTED PRIVATE KEY FILE! @
|
||||||
|
# @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
|
||||||
|
# Permissions 0640 for '/etc/ssh/ssh_host_ecdsa_key' are too open.
|
||||||
|
# It is required that your private key files are NOT accessible by others.
|
||||||
|
# This private key will be ignored.
|
||||||
|
# @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
|
||||||
|
# @ WARNING: UNPROTECTED PRIVATE KEY FILE! @
|
||||||
|
# @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
|
||||||
|
# Permissions 0640 for '/etc/ssh/ssh_host_ed25519_key' are too open.
|
||||||
|
# It is required that your private key files are NOT accessible by others.
|
||||||
|
# This private key will be ignored.
|
||||||
|
# sshd: no hostkeys available -- exiting.
|
||||||
|
#
|
||||||
|
output="$(sshd -T 2>&1 || true)" # expected to fail
|
||||||
|
if grep -q "sshd: no hostkeys available" <<< "$output"; then
|
||||||
|
while read line; do
|
||||||
|
if [[ $line =~ ^Permissions\ [0-9]+\ for\ \'(.*)\'\ are\ too\ open. ]]; then
|
||||||
|
keyfile=${BASH_REMATCH[1]}
|
||||||
|
echo $line
|
||||||
|
echo -e "\t-> changing permissions on $keyfile"
|
||||||
|
chmod --verbose g-r $keyfile
|
||||||
|
chown --verbose root:root $keyfile
|
||||||
|
fi
|
||||||
|
done <<< "$output"
|
||||||
|
fi
|
Loading…
Reference in New Issue
Block a user