08d842d5e8
Use a systemd service unit to strip the ssh_keys group and change the
mode for host keys. This ensure that this migration is done right before
the openssh server startup on all kind of systems, either RPM or
rpm-ostree based.
Use a marker file to only do this once. We need to keep this service
unit for two Fedora releases so we will be able to remove it in Fedora
40.
See: https://fedoraproject.org/wiki/Changes/SSHKeySignSuidBit
Fixes: 7a21555
Get rid of ssh_keys group for new installations
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2172956
Co-authored-by: Timothée Ravier <tim@siosm.fr>
16 lines
411 B
Desktop File
16 lines
411 B
Desktop File
[Unit]
|
|
Description=Update OpenSSH host key permissions
|
|
Documentation=https://fedoraproject.org/wiki/Changes/SSHKeySignSuidBit
|
|
Before=sshd.service
|
|
After=ssh-keygen.target
|
|
ConditionPathExists=!/var/lib/.ssh-host-keys-migration
|
|
|
|
[Service]
|
|
Type=oneshot
|
|
ExecStart=-/usr/libexec/openssh/ssh-host-keys-migration.sh
|
|
ExecStart=touch /var/lib/.ssh-host-keys-migration
|
|
RemainAfterExit=yes
|
|
|
|
[Install]
|
|
WantedBy=sshd.service
|