Use a service unit to strip ssh_keys group from host keys (rhbz#2172956)
Use a systemd service unit to strip the ssh_keys group and change the
mode for host keys. This ensure that this migration is done right before
the openssh server startup on all kind of systems, either RPM or
rpm-ostree based.
Use a marker file to only do this once. We need to keep this service
unit for two Fedora releases so we will be able to remove it in Fedora
40.
See: https://fedoraproject.org/wiki/Changes/SSHKeySignSuidBit
Fixes: 7a21555 Get rid of ssh_keys group for new installations
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2172956
Co-authored-by: Timothée Ravier <tim@siosm.fr>
			
			
This commit is contained in:
		
							parent
							
								
									937ee4760a
								
							
						
					
					
						commit
						08d842d5e8
					
				
							
								
								
									
										27
									
								
								openssh.spec
									
									
									
									
									
								
							
							
						
						
									
										27
									
								
								openssh.spec
									
									
									
									
									
								
							| @ -47,7 +47,7 @@ | ||||
| 
 | ||||
| # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1 | ||||
| %global openssh_ver 9.0p1 | ||||
| %global openssh_rel 10 | ||||
| %global openssh_rel 11 | ||||
| %global pam_ssh_agent_ver 0.10.4 | ||||
| %global pam_ssh_agent_rel 7 | ||||
| 
 | ||||
| @ -74,6 +74,8 @@ Source15: sshd-keygen.target | ||||
| Source16: ssh-agent.service | ||||
| Source17: ssh-agent.socket | ||||
| Source19: openssh-server-systemd-sysusers.conf | ||||
| Source20: ssh-host-keys-migration.sh | ||||
| Source21: ssh-host-keys-migration.service | ||||
| 
 | ||||
| #https://bugzilla.mindrot.org/show_bug.cgi?id=2581 | ||||
| Patch100: openssh-6.7p1-coverity.patch | ||||
| @ -582,6 +584,10 @@ install -m755 contrib/ssh-copy-id $RPM_BUILD_ROOT%{_bindir}/ | ||||
| install contrib/ssh-copy-id.1 $RPM_BUILD_ROOT%{_mandir}/man1/ | ||||
| install -d -m711 ${RPM_BUILD_ROOT}/%{_datadir}/empty.sshd | ||||
| install -p -D -m 0644 %{SOURCE19} %{buildroot}%{_sysusersdir}/openssh-server.conf | ||||
| # Migration service/script for Fedora 38 change to remove group ownership for standard host keys | ||||
| # See https://fedoraproject.org/wiki/Changes/SSHKeySignSuidBit | ||||
| install -m744 %{SOURCE20} $RPM_BUILD_ROOT/%{_libexecdir}/openssh/ssh-host-keys-migration.sh | ||||
| install -m644 %{SOURCE21} $RPM_BUILD_ROOT/%{_unitdir}/ssh-host-keys-migration.service # enabled in 90-default.preset | ||||
| 
 | ||||
| %if ! %{no_gnome_askpass} | ||||
| install contrib/gnome-ssh-askpass $RPM_BUILD_ROOT%{_libexecdir}/openssh/gnome-ssh-askpass | ||||
| @ -608,13 +614,16 @@ popd | ||||
| 
 | ||||
| %pre server | ||||
| %sysusers_create_compat %{SOURCE19} | ||||
| # Migration scriptlet for Fedora 38/39 | ||||
| # We want to remove group ownership for standard host keys if they exist | ||||
| test -f /etc/ssh/ssh_host_rsa_key     && /usr/bin/chmod g-r /etc/ssh/ssh_host_rsa_key     || : | ||||
| test -f /etc/ssh/ssh_host_ecdsa_key   && /usr/bin/chmod g-r /etc/ssh/ssh_host_ecdsa_key   || : | ||||
| test -f /etc/ssh/ssh_host_ed25519_key && /usr/bin/chmod g-r /etc/ssh/ssh_host_ed25519_key || : | ||||
| 
 | ||||
| %post server | ||||
| if [ $1 -gt 1 ]; then | ||||
|     # In the case of an upgrade (never true on OSTree systems) run the migration | ||||
|     # script for Fedora 38 to remove group ownership for host keys. | ||||
|     %{_libexecdir}/openssh/ssh-host-keys-migration.sh | ||||
|     # Prevent the systemd unit that performs the same service (useful for | ||||
|     # OSTree systems) from running. | ||||
|     touch /var/lib/.ssh-host-keys-migration | ||||
| fi | ||||
| %systemd_post sshd.service sshd.socket | ||||
| # Migration scriptlet for Fedora 31 and 32 installations to sshd_config | ||||
| # drop-in directory (in F32+). | ||||
| @ -699,6 +708,8 @@ test -f %{sysconfig_anaconda} && \ | ||||
| %attr(0644,root,root) %{_unitdir}/sshd-keygen@.service | ||||
| %attr(0644,root,root) %{_unitdir}/sshd-keygen.target | ||||
| %attr(0644,root,root) %{_sysusersdir}/openssh-server.conf | ||||
| %attr(0644,root,root) %{_unitdir}/ssh-host-keys-migration.service | ||||
| %attr(0744,root,root) %{_libexecdir}/openssh/ssh-host-keys-migration.sh | ||||
| 
 | ||||
| %files keycat | ||||
| %doc HOWTO.ssh-keycat | ||||
| @ -720,6 +731,10 @@ test -f %{sysconfig_anaconda} && \ | ||||
| %endif | ||||
| 
 | ||||
| %changelog | ||||
| * Wed Mar 01 2023 Dusty Mabe <dusty@dustymabe.com> - 9.0p1-11 | ||||
| - Provide a systemd unit for restoring default host key permissions (rhbz#2172956) | ||||
| - Co-Authored by Timothée Ravier <tim@siosm.fr> | ||||
| 
 | ||||
| * Mon Jan 23 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 9.0p1-10 | ||||
| - Restore upstream behaviour and default host key permissions (rhbz#2141272) | ||||
| 
 | ||||
|  | ||||
							
								
								
									
										15
									
								
								ssh-host-keys-migration.service
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										15
									
								
								ssh-host-keys-migration.service
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,15 @@ | ||||
| [Unit] | ||||
| Description=Update OpenSSH host key permissions | ||||
| Documentation=https://fedoraproject.org/wiki/Changes/SSHKeySignSuidBit | ||||
| Before=sshd.service | ||||
| After=ssh-keygen.target | ||||
| ConditionPathExists=!/var/lib/.ssh-host-keys-migration | ||||
| 
 | ||||
| [Service] | ||||
| Type=oneshot | ||||
| ExecStart=-/usr/libexec/openssh/ssh-host-keys-migration.sh | ||||
| ExecStart=touch /var/lib/.ssh-host-keys-migration | ||||
| RemainAfterExit=yes | ||||
| 
 | ||||
| [Install] | ||||
| WantedBy=sshd.service | ||||
							
								
								
									
										38
									
								
								ssh-host-keys-migration.sh
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										38
									
								
								ssh-host-keys-migration.sh
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,38 @@ | ||||
| #!/usr/bin/bash  | ||||
| set -eu -o pipefail | ||||
| # Detect existing non-conforming host keys and perform the permissions migration | ||||
| # https://fedoraproject.org/wiki/Changes/SSHKeySignSuidBit | ||||
| #  | ||||
| # Example output looks like: | ||||
| # @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ | ||||
| # @         WARNING: UNPROTECTED PRIVATE KEY FILE!          @ | ||||
| # @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ | ||||
| # Permissions 0640 for '/etc/ssh/ssh_host_rsa_key' are too open. | ||||
| # It is required that your private key files are NOT accessible by others. | ||||
| # This private key will be ignored. | ||||
| # @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ | ||||
| # @         WARNING: UNPROTECTED PRIVATE KEY FILE!          @ | ||||
| # @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ | ||||
| # Permissions 0640 for '/etc/ssh/ssh_host_ecdsa_key' are too open. | ||||
| # It is required that your private key files are NOT accessible by others. | ||||
| # This private key will be ignored. | ||||
| # @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ | ||||
| # @         WARNING: UNPROTECTED PRIVATE KEY FILE!          @ | ||||
| # @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ | ||||
| # Permissions 0640 for '/etc/ssh/ssh_host_ed25519_key' are too open. | ||||
| # It is required that your private key files are NOT accessible by others. | ||||
| # This private key will be ignored. | ||||
| # sshd: no hostkeys available -- exiting. | ||||
| # | ||||
| output="$(sshd -T 2>&1 || true)" # expected to fail | ||||
| if grep -q "sshd: no hostkeys available" <<< "$output"; then | ||||
|     while read line; do | ||||
|         if [[ $line =~ ^Permissions\ [0-9]+\ for\ \'(.*)\'\ are\ too\ open. ]]; then | ||||
|             keyfile=${BASH_REMATCH[1]} | ||||
|             echo $line | ||||
|             echo -e "\t-> changing permissions on $keyfile" | ||||
|             chmod --verbose g-r $keyfile | ||||
|             chown --verbose root:root $keyfile | ||||
|         fi | ||||
|     done <<< "$output" | ||||
| fi | ||||
		Loading…
	
		Reference in New Issue
	
	Block a user