Restore upstream default host key permissions (rhbz#2141272)

openssh-6.6p1-keyperm.patch

@@ -1,31 +0,0 @@
-diff -up openssh-8.2p1/authfile.c.keyperm openssh-8.2p1/authfile.c
---- openssh-8.2p1/authfile.c.keyperm	2020-02-14 01:40:54.000000000 +0100
-+++ openssh-8.2p1/authfile.c	2020-02-17 11:55:12.841729758 +0100
-@@ -31,6 +31,7 @@
- 
- #include <errno.h>
- #include <fcntl.h>
-+#include <grp.h>
- #include <stdio.h>
- #include <stdarg.h>
- #include <stdlib.h>
-@@ -101,7 +102,19 @@ sshkey_perm_ok(int fd, const char *filen
- #ifdef HAVE_CYGWIN
- 	if (check_ntsec(filename))
- #endif
-+
- 	if ((st.st_uid == getuid()) && (st.st_mode & 077) != 0) {
-+		if (st.st_mode & 040) {
-+			struct group *gr;
-+
-+			if ((gr = getgrnam("ssh_keys")) && (st.st_gid == gr->gr_gid)) {
-+				/* The only additional bit is read
-+				 * for ssh_keys group, which is fine */
-+				if ((st.st_mode & 077) == 040 ) {
-+					return 0;
-+				}
-+			}
-+		}
- 		error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
- 		error("@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @");
- 		error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");

openssh.spec

@@ -47,7 +47,7 @@
 
 # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
 %global openssh_ver 9.0p1
-%global openssh_rel 9
+%global openssh_rel 10
 %global pam_ssh_agent_ver 0.10.4
 %global pam_ssh_agent_rel 7
 
@@ -115,8 +115,6 @@ Patch502: openssh-6.6p1-keycat.patch
 
 #https://bugzilla.mindrot.org/show_bug.cgi?id=1644
 Patch601: openssh-6.6p1-allow-ip-opts.patch
-#https://bugzilla.mindrot.org/show_bug.cgi?id=1893 (WONTFIX)
-Patch604: openssh-6.6p1-keyperm.patch
 #(drop?) https://bugzilla.mindrot.org/show_bug.cgi?id=1925
 Patch606: openssh-5.9p1-ipv6man.patch
 #?
@@ -380,7 +378,6 @@ popd
 %patch502 -p1 -b .keycat
 
 %patch601 -p1 -b .ip-opts
-%patch604 -p1 -b .keyperm
 %patch606 -p1 -b .ipv6man
 %patch607 -p1 -b .sigpipe
 %patch609 -p1 -b .x11
@@ -616,6 +613,11 @@ popd
 
 %pre server
 %sysusers_create_compat %{SOURCE19}
+# Migration scriptlet for Fedora 38/39
+# We want to remove group ownership for standard host keys if they exist
+test -f /etc/ssh/ssh_host_rsa_key     && /usr/bin/chmod g-r /etc/ssh/ssh_host_rsa_key     || :
+test -f /etc/ssh/ssh_host_ecdsa_key   && /usr/bin/chmod g-r /etc/ssh/ssh_host_ecdsa_key   || :
+test -f /etc/ssh/ssh_host_ed25519_key && /usr/bin/chmod g-r /etc/ssh/ssh_host_ed25519_key || :
 
 %post server
 %systemd_post sshd.service sshd.socket
@@ -653,7 +655,7 @@ test -f %{sysconfig_anaconda} && \
 %attr(0755,root,root) %{_bindir}/ssh-keygen
 %attr(0644,root,root) %{_mandir}/man1/ssh-keygen.1*
 %attr(0755,root,root) %dir %{_libexecdir}/openssh
-%attr(2555,root,ssh_keys) %{_libexecdir}/openssh/ssh-keysign
+%attr(4555,root,root) %{_libexecdir}/openssh/ssh-keysign
 %attr(0644,root,root) %{_mandir}/man8/ssh-keysign.8*
 %attr(0644,root,root) %{_sysusersdir}/openssh.conf
 
@@ -724,6 +726,9 @@ test -f %{sysconfig_anaconda} && \
 %endif
 
 %changelog
+* Fri Dec 02 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 9.0p1-10
+- Restore upstream behaviour and default host key permissions (rhbz#2141272)
+
 * Thu Jan 19 2023 Fedora Release Engineering <releng@fedoraproject.org> - 9.0p1-9.1
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
 

sshd-keygen

@@ -31,7 +31,7 @@ fi
 
 # sanitize permissions
 /usr/bin/chgrp ssh_keys $KEY
-/usr/bin/chmod 640 $KEY
+/usr/bin/chmod 600 $KEY
 /usr/bin/chmod 644 $KEY.pub
 if [[ -x /usr/sbin/restorecon ]]; then
 	/usr/sbin/restorecon $KEY{,.pub}