From b615362fd0b4da657d624571441cb74983de6e3f Mon Sep 17 00:00:00 2001 From: Dmitry Belyavskiy Date: Fri, 2 Dec 2022 18:09:47 +0100 Subject: [PATCH] Restore upstream default host key permissions (rhbz#2141272) --- openssh-6.6p1-keyperm.patch | 31 ------------------------------- openssh.spec | 15 ++++++++++----- sshd-keygen | 2 +- 3 files changed, 11 insertions(+), 37 deletions(-) delete mode 100644 openssh-6.6p1-keyperm.patch diff --git a/openssh-6.6p1-keyperm.patch b/openssh-6.6p1-keyperm.patch deleted file mode 100644 index 5e06940..0000000 --- a/openssh-6.6p1-keyperm.patch +++ /dev/null @@ -1,31 +0,0 @@ -diff -up openssh-8.2p1/authfile.c.keyperm openssh-8.2p1/authfile.c ---- openssh-8.2p1/authfile.c.keyperm 2020-02-14 01:40:54.000000000 +0100 -+++ openssh-8.2p1/authfile.c 2020-02-17 11:55:12.841729758 +0100 -@@ -31,6 +31,7 @@ - - #include - #include -+#include - #include - #include - #include -@@ -101,7 +102,19 @@ sshkey_perm_ok(int fd, const char *filen - #ifdef HAVE_CYGWIN - if (check_ntsec(filename)) - #endif -+ - if ((st.st_uid == getuid()) && (st.st_mode & 077) != 0) { -+ if (st.st_mode & 040) { -+ struct group *gr; -+ -+ if ((gr = getgrnam("ssh_keys")) && (st.st_gid == gr->gr_gid)) { -+ /* The only additional bit is read -+ * for ssh_keys group, which is fine */ -+ if ((st.st_mode & 077) == 040 ) { -+ return 0; -+ } -+ } -+ } - error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@"); - error("@ WARNING: UNPROTECTED PRIVATE KEY FILE! @"); - error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@"); diff --git a/openssh.spec b/openssh.spec index 4667fd9..c072dee 100644 --- a/openssh.spec +++ b/openssh.spec @@ -47,7 +47,7 @@ # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1 %global openssh_ver 9.0p1 -%global openssh_rel 9 +%global openssh_rel 10 %global pam_ssh_agent_ver 0.10.4 %global pam_ssh_agent_rel 7 @@ -115,8 +115,6 @@ Patch502: openssh-6.6p1-keycat.patch #https://bugzilla.mindrot.org/show_bug.cgi?id=1644 Patch601: openssh-6.6p1-allow-ip-opts.patch -#https://bugzilla.mindrot.org/show_bug.cgi?id=1893 (WONTFIX) -Patch604: openssh-6.6p1-keyperm.patch #(drop?) https://bugzilla.mindrot.org/show_bug.cgi?id=1925 Patch606: openssh-5.9p1-ipv6man.patch #? @@ -380,7 +378,6 @@ popd %patch502 -p1 -b .keycat %patch601 -p1 -b .ip-opts -%patch604 -p1 -b .keyperm %patch606 -p1 -b .ipv6man %patch607 -p1 -b .sigpipe %patch609 -p1 -b .x11 @@ -616,6 +613,11 @@ popd %pre server %sysusers_create_compat %{SOURCE19} +# Migration scriptlet for Fedora 38/39 +# We want to remove group ownership for standard host keys if they exist +test -f /etc/ssh/ssh_host_rsa_key && /usr/bin/chmod g-r /etc/ssh/ssh_host_rsa_key || : +test -f /etc/ssh/ssh_host_ecdsa_key && /usr/bin/chmod g-r /etc/ssh/ssh_host_ecdsa_key || : +test -f /etc/ssh/ssh_host_ed25519_key && /usr/bin/chmod g-r /etc/ssh/ssh_host_ed25519_key || : %post server %systemd_post sshd.service sshd.socket @@ -653,7 +655,7 @@ test -f %{sysconfig_anaconda} && \ %attr(0755,root,root) %{_bindir}/ssh-keygen %attr(0644,root,root) %{_mandir}/man1/ssh-keygen.1* %attr(0755,root,root) %dir %{_libexecdir}/openssh -%attr(2555,root,ssh_keys) %{_libexecdir}/openssh/ssh-keysign +%attr(4555,root,root) %{_libexecdir}/openssh/ssh-keysign %attr(0644,root,root) %{_mandir}/man8/ssh-keysign.8* %attr(0644,root,root) %{_sysusersdir}/openssh.conf @@ -724,6 +726,9 @@ test -f %{sysconfig_anaconda} && \ %endif %changelog +* Fri Dec 02 2022 Dmitry Belyavskiy - 9.0p1-10 +- Restore upstream behaviour and default host key permissions (rhbz#2141272) + * Thu Jan 19 2023 Fedora Release Engineering - 9.0p1-9.1 - Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild diff --git a/sshd-keygen b/sshd-keygen index 141814c..11b818a 100644 --- a/sshd-keygen +++ b/sshd-keygen @@ -31,7 +31,7 @@ fi # sanitize permissions /usr/bin/chgrp ssh_keys $KEY -/usr/bin/chmod 640 $KEY +/usr/bin/chmod 600 $KEY /usr/bin/chmod 644 $KEY.pub if [[ -x /usr/sbin/restorecon ]]; then /usr/sbin/restorecon $KEY{,.pub}