Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Change Host Private Key Permissions to 600 #6842

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

cxhong
Copy link
Contributor

@cxhong cxhong commented Sep 30, 2020

This PR is duplicated with #6833

@nealep is processing the CCLA. In the meantime, I am making a duplicate PR to check in his fixes.

@cxhong cxhong requested a review from besawn September 30, 2020 19:35
@cxhong cxhong added this to the 2.16.1 milestone Sep 30, 2020
@besawn besawn modified the milestones: 2.16.1, 2.16.2 Oct 27, 2020
@besawn
Copy link
Member

besawn commented Oct 27, 2020

Moving this PR to the next release until we can better understand which versions of OpenSSH require private keys with 0640 vs 0600 permissions.

@nealep
Copy link

nealep commented Oct 27, 2020

From man.openbsd.org/sshd for OpenSSH Version 8.4:

/etc/ssh/ssh_host_ecdsa_key
/etc/ssh/ssh_host_ed25519_key
/etc/ssh/ssh_host_rsa_key
These files contain the private parts of the host keys. These files should only be owned by root, readable only by root, and not accessible to others. Note that sshd does not start if these files are group/world-accessible.

Looks like similar language is in the manual going back to version BSD version 3.0 which I think corresponds to OpenSSH Version ~2. I haven't been able to find when exactly they introduced the error behavior, however. It looks like group permissions were just strongly encouraged up until relatively recently or it's a whacky RedHat patch.

@nealep
Copy link

nealep commented Oct 27, 2020

Some more interesting information:

https://bugzilla.redhat.com/show_bug.cgi?id=1801459

Sounds like 0640 will be acceptable if the group is ssh-keys. I don't have a way to verify this behavior at present. Does someone have a RHEL 7 image they can experiment with? Otherwise, I can try to do it in the next week or two?

@besawn
Copy link
Member

besawn commented Oct 27, 2020

@nealep The current behavior was due to this issue: #2617
which references this issue:
https://bugzilla.redhat.com/show_bug.cgi?id=819896

Given that different versions of OpenSSH require different ownership and permissions, a more reliable approach might be to generate a temporary host private key on the compute node to determine the group and permissions that are expected by the installed version of OpenSSH, then copy the correct keys over and set the ownership and permissions to match those of the temporary key. This is the approach I would like to explore next, when time permits.

@peterwywong
Copy link
Contributor

peterwywong commented Nov 18, 2020

An xCAT management node has two sets of host keys, one under /etc/ssh and the other /etc/xcat/hostkeys. The SECOND set of host keys is distributed to /etc/ssh of each compute node by /install/postscripts/remoteshell.

In March 2017, PR 2724 fix issue Wrong permissions for ssh host private keys on CentOS 7 #2617 modified the permission of the host keys from 600 to 640 and replaced their group ownership from root to ssh_keys on compute nodes where Group ssh_keys is defined. Only CentOS and RHEL have ssh_keys defined.

Since the releases CentOS 7.0 and RHEL 7.0 in 2014, the host keys have been set to have Permission 640 and Group ssh_keys by sshd-keygen.

sshd-keygen is a script only available on CentOS and RHEL and packaged in openssh-server. It calls ssh-keygen to create keys and then sets the above permission and group ownership.

Here is /usr/libexec/openssh/sshd-keygen of RHEL 8.2, with openssh-server-8.0p1-4.el8_1.ppc64le.


# Create the host keys for the OpenSSH server.
KEYTYPE=$1
case $KEYTYPE in
        "dsa") ;& # disabled in FIPS
        "ed25519")
                FIPS=/proc/sys/crypto/fips_enabled
                if [[ -r "$FIPS" && $(cat $FIPS) == "1" ]]; then
                        exit 0
                fi ;;
        "rsa") ;; # always ok
        "ecdsa") ;;
        *) # wrong argument
                exit 12 ;;
esac
KEY=/etc/ssh/ssh_host_${KEYTYPE}_key

KEYGEN=/usr/bin/ssh-keygen
if [[ ! -x $KEYGEN ]]; then
        exit 13
fi

# remove old keys
rm -f $KEY{,.pub}

# create new keys
if ! $KEYGEN -q -t $KEYTYPE -f $KEY -C '' -N '' >&/dev/null; then
        exit 1
fi

# sanitize permissions
/usr/bin/chgrp ssh_keys $KEY
/usr/bin/chmod 640 $KEY
/usr/bin/chmod 644 $KEY.pub
if [[ -x /usr/sbin/restorecon ]]; then
        /usr/sbin/restorecon $KEY{,.pub}
fi

exit 0

The information given by nealep on sshd for OpenSSH Version 8.4 is likely for ssh-keygen. sshd-keygen of CentOS and RHEL makes use of ssh-keygen with added requirements as described above.

We know xCAT distributes a common set of host keys to all compute nodes; CentOS and RHEL require Permission 640 and Group ssh_keys for them; the fixes in PR 2724 was to comply with those requirements. We still need this compliance today.

@besawn besawn removed this from the 2.16.2 milestone May 17, 2021
@CLAassistant
Copy link

CLA assistant check
Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
You have signed the CLA already but the status is still pending? Let us recheck it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants