PR#37: Draft: Restore upstream default host key permissions (rhbz#2141272) - rpms/openssh

		`@@ -1,31 +0,0 @@`
		`- diff -up openssh-8.2p1/authfile.c.keyperm openssh-8.2p1/authfile.c`
		`- --- openssh-8.2p1/authfile.c.keyperm 2020-02-14 01:40:54.000000000 +0100`
		`- +++ openssh-8.2p1/authfile.c 2020-02-17 11:55:12.841729758 +0100`
		`- @@ -31,6 +31,7 @@`
		`-`
		`- #include <errno.h>`
		`- #include <fcntl.h>`
		`- +#include <grp.h>`
		`- #include <stdio.h>`
		`- #include <stdarg.h>`
		`- #include <stdlib.h>`
		`- @@ -101,7 +102,19 @@ sshkey_perm_ok(int fd, const char *filen`
		`- #ifdef HAVE_CYGWIN`
		`- if (check_ntsec(filename))`
		`- #endif`
		`- +`
		`- if ((st.st_uid == getuid()) && (st.st_mode & 077) != 0) {`
		`- + if (st.st_mode & 040) {`
		`- + struct group *gr;`
		`- +`
		`- + if ((gr = getgrnam("ssh_keys")) && (st.st_gid == gr->gr_gid)) {`
		`- + /* The only additional bit is read`
		`- + * for ssh_keys group, which is fine */`
		`- + if ((st.st_mode & 077) == 040 ) {`
		`- + return 0;`
		`- + }`
		`- + }`
		`- + }`
		`- error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");`
		`- error("@ WARNING: UNPROTECTED PRIVATE KEY FILE! @");`
		`- error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");`

openssh-systemd-sysusers.conf

file removed

-2

		`@@ -1,2 +0,0 @@`
		`- #Type Name ID`
		`- g ssh_keys 101`

openssh.spec

file modified

+10 -11

		`@@ -47,7 +47,7 @@`

		`# Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1`
		`%global openssh_ver 9.0p1`
		`- %global openssh_rel 8`
		`+ %global openssh_rel 9`
		`%global pam_ssh_agent_ver 0.10.4`
		`%global pam_ssh_agent_rel 7`

		`@@ -73,7 +73,6 @@`
		`Source15: sshd-keygen.target`
		`Source16: ssh-agent.service`
		`Source17: ssh-agent.socket`
		`- Source18: openssh-systemd-sysusers.conf`
		`Source19: openssh-server-systemd-sysusers.conf`

		`#https://bugzilla.mindrot.org/show_bug.cgi?id=2581`
		`@@ -115,8 +114,6 @@`

		`#https://bugzilla.mindrot.org/show_bug.cgi?id=1644`
		`Patch601: openssh-6.6p1-allow-ip-opts.patch`
		`- #https://bugzilla.mindrot.org/show_bug.cgi?id=1893 (WONTFIX)`
		`- Patch604: openssh-6.6p1-keyperm.patch`
		`#(drop?) https://bugzilla.mindrot.org/show_bug.cgi?id=1925`
		`Patch606: openssh-5.9p1-ipv6man.patch`
		`#?`
		`@@ -380,7 +377,6 @@`
		`%patch502 -p1 -b .keycat`

		`%patch601 -p1 -b .ip-opts`
		`- %patch604 -p1 -b .keyperm`
		`%patch606 -p1 -b .ipv6man`
		`%patch607 -p1 -b .sigpipe`
		`%patch609 -p1 -b .x11`
		`@@ -585,7 +581,6 @@`
		`install -m755 contrib/ssh-copy-id $RPM_BUILD_ROOT%{_bindir}/`
		`install contrib/ssh-copy-id.1 $RPM_BUILD_ROOT%{_mandir}/man1/`
		`install -d -m711 ${RPM_BUILD_ROOT}/%{_datadir}/empty.sshd`
		`- install -p -D -m 0644 %{SOURCE18} %{buildroot}%{_sysusersdir}/openssh.conf`
		`install -p -D -m 0644 %{SOURCE19} %{buildroot}%{_sysusersdir}/openssh-server.conf`

		`%if ! %{no_gnome_askpass}`
		`@@ -611,11 +606,13 @@`
		`popd`
		`%endif`

		`- %pre`
		`- %sysusers_create_compat %{SOURCE18}`
		`-`
		`%pre server`
		`%sysusers_create_compat %{SOURCE19}`
		`+ # Migration scriptlet for Fedora 38/39`
		`+ # We want to remove group ownership for standard host keys if they exist`
		`+ test -f /etc/ssh/ssh_host_rsa_key && /usr/bin/chmod g-r /etc/ssh/ssh_host_rsa_key \|\| :`
		`+ test -f /etc/ssh/ssh_host_ecdsa_key && /usr/bin/chmod g-r /etc/ssh/ssh_host_ecdsa_key \|\| :`
		`+ test -f /etc/ssh/ssh_host_ed25519_key && /usr/bin/chmod g-r /etc/ssh/ssh_host_ed25519_key \|\| :`

		`%post server`
		`%systemd_post sshd.service sshd.socket`
		`@@ -653,9 +650,8 @@`
		`%attr(0755,root,root) %{_bindir}/ssh-keygen`
		`%attr(0644,root,root) %{_mandir}/man1/ssh-keygen.1*`
		`%attr(0755,root,root) %dir %{_libexecdir}/openssh`
		`- %attr(2555,root,ssh_keys) %{_libexecdir}/openssh/ssh-keysign`
		`+ %attr(4555,root,root) %{_libexecdir}/openssh/ssh-keysign`
		`%attr(0644,root,root) %{_mandir}/man8/ssh-keysign.8*`
		`- %attr(0644,root,root) %{_sysusersdir}/openssh.conf`

		`%files clients`
		`%attr(0755,root,root) %{_bindir}/ssh`
		`@@ -724,6 +720,9 @@`
		`%endif`

		`%changelog`
		`+ * Fri Dec 02 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 9.0p1-9`
		`+ - Restore upstream behaviour and default host key permissions (rhbz#2141272)`
		`+`
		`* Mon Oct 24 2022 Norbert Pocs <npocs@redhat.com> - 9.0p1-8`
		`- Add additional audit logging about ssh key used to login (rhbz#2049947)`

sshd-keygen

file modified

+1 -2

		`@@ -30,8 +30,7 @@`
		`fi`

		`# sanitize permissions`
		`- /usr/bin/chgrp ssh_keys $KEY`
		`- /usr/bin/chmod 640 $KEY`
		`+ /usr/bin/chmod 600 $KEY`
		`/usr/bin/chmod 644 $KEY.pub`
		`if [[ -x /usr/sbin/restorecon ]]; then`
		`/usr/sbin/restorecon $KEY{,.pub}`

dbelyavs commented a year ago

Restore upstream default host key permissions (0600 instead of 0640) and suid bit instead of sgid one for ssh-keysign

1 new commit added

Fix scriplet

a year ago

zuul commented a year ago

Build succeeded.

check-for-arches : SUCCESS in 54s
rpm-scratch-build : SUCCESS in 10m 56s
rpm-scratch-build-s390x : SUCCESS in 15m 51s (non-voting)
rpm-scratch-build-ppc64le : SUCCESS in 15m 47s (non-voting)
rpm-scratch-build-i686 : SUCCESS in 11m 41s (non-voting)
rpm-scratch-build-aarch64 : SUCCESS in 12m 38s (non-voting)
rpm-linter : FAILURE in 3m 21s (non-voting)
rpm-rpminspect : FAILURE in 6m 33s (non-voting)
check-for-sti-tests : SUCCESS in 22s
check-for-fmf-tests : SUCCESS in 20s
rpm-install-test : SUCCESS in 2m 09s
rpm-tmt-test : SKIPPED
rpm-sti-test : SUCCESS in 7m 35s

1 new commit added

Fix the scriptlet

a year ago

zuul commented a year ago

Build succeeded.

check-for-arches : SUCCESS in 56s
rpm-scratch-build : SUCCESS in 9m 46s
rpm-scratch-build-s390x : SUCCESS in 10m 54s (non-voting)
rpm-scratch-build-ppc64le : SUCCESS in 12m 44s (non-voting)
rpm-scratch-build-i686 : SUCCESS in 10m 44s (non-voting)
rpm-scratch-build-aarch64 : SUCCESS in 12m 43s (non-voting)
rpm-linter : FAILURE in 3m 40s (non-voting)
rpm-rpminspect : FAILURE in 7m 06s (non-voting)
check-for-sti-tests : SUCCESS in 24s
check-for-fmf-tests : SUCCESS in 23s
rpm-install-test : SUCCESS in 3m 01s
rpm-tmt-test : SKIPPED
rpm-sti-test : SUCCESS in 11m 03s

1 new commit added

Get rid of ssh_keys group for new installations

a year ago

2 new commits added

Domt use ssh_keys group
We dont install openssh.conf file

a year ago

zuul commented a year ago

Build succeeded.

check-for-arches : SUCCESS in 1m 00s
rpm-scratch-build : SUCCESS in 14m 15s
rpm-scratch-build-s390x : SUCCESS in 11m 03s (non-voting)
rpm-scratch-build-ppc64le : SUCCESS in 13m 59s (non-voting)
rpm-scratch-build-i686 : SUCCESS in 12m 01s (non-voting)
rpm-scratch-build-aarch64 : SUCCESS in 9m 39s (non-voting)
rpm-linter : FAILURE in 3m 11s (non-voting)
rpm-rpminspect : FAILURE in 6m 34s (non-voting)
check-for-sti-tests : SUCCESS in 39s
check-for-fmf-tests : SUCCESS in 49s
rpm-install-test : SUCCESS in 2m 36s
rpm-tmt-test : SKIPPED
rpm-sti-test : SUCCESS in 10m 57s

jjelen commented a year ago

One more thing to do after this will land in Fedora is to update ansible sshd role. We are now enforcing the hostkeys permissions to be like this in here:

https://github.com/willshersystems/ansible-sshd/blob/master/vars/Fedora.yml#L23

It should be enough to open an issue or talk to me to get the changes done, but I wanted to dump the thought somewhere before I will forget.

dbelyavs commented a year ago

Rebased and pushed to rawhide, closing the MR. Thanks!