cloud-init/backport-Fix-permission-of-SSH-host-keys-1971.patch

From 94a00492b11995dd9278605eb29ee4b096ce3a90 Mon Sep 17 00:00:00 2001
From: Ron Gebauer <Mazorius@users.noreply.github.com>
Date: Wed, 25 Jan 2023 22:40:32 +0100
Subject: [PATCH] Fix permission of SSH host keys (#1971)

If the host-keys are provided the private key permissions have 0600
which is indeed correct. But the public key has 0600 which should
instead be 0644.

With this change the public key is always 0644 and the private key
is 0600 if provided or 640 if generated (to match sshd-keygen
functionality).
---
 cloudinit/config/cc_ssh.py            | 4 ++--
 tests/unittests/config/test_cc_ssh.py | 6 +++---
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/cloudinit/config/cc_ssh.py b/cloudinit/config/cc_ssh.py
index 33c1fd0..6210627 100644
--- a/cloudinit/config/cc_ssh.py
+++ b/cloudinit/config/cc_ssh.py
@@ -185,8 +185,8 @@ for k in GENERATE_KEY_NAMES:
     CONFIG_KEY_TO_FILE.update(
         {
             f"{k}_private": (KEY_FILE_TPL % k, 0o600),
-            f"{k}_public": (f"{KEY_FILE_TPL % k}.pub", 0o600),
-            f"{k}_certificate": (f"{KEY_FILE_TPL % k}-cert.pub", 0o600),
+            f"{k}_public": (f"{KEY_FILE_TPL % k}.pub", 0o644),
+            f"{k}_certificate": (f"{KEY_FILE_TPL % k}-cert.pub", 0o644),
         }
     )
     PRIV_TO_PUB[f"{k}_private"] = f"{k}_public"
diff --git a/tests/unittests/config/test_cc_ssh.py b/tests/unittests/config/test_cc_ssh.py
index 47c0c77..c41a50b 100644
--- a/tests/unittests/config/test_cc_ssh.py
+++ b/tests/unittests/config/test_cc_ssh.py
@@ -311,17 +311,17 @@ class TestHandleSsh:
                     mock.call(
                         "/etc/ssh/ssh_host_{}_key".format(key_type),
                         private_value,
-                        384,
+                        0o600,
                     ),
                     mock.call(
                         "/etc/ssh/ssh_host_{}_key.pub".format(key_type),
                         public_value,
-                        384,
+                        0o644,
                     ),
                     mock.call(
                         "/etc/ssh/ssh_host_{}_key-cert.pub".format(key_type),
                         cert_value,
-                        384,
+                        0o644,
                     ),
                     mock.call(
                         "/etc/ssh/sshd_config",
-- 
2.39.1
Fix permission of SSH host keys 2023-03-14 14:49:04 +08:00			`From 94a00492b11995dd9278605eb29ee4b096ce3a90 Mon Sep 17 00:00:00 2001`
			`From: Ron Gebauer <Mazorius@users.noreply.github.com>`
			`Date: Wed, 25 Jan 2023 22:40:32 +0100`
			`Subject: [PATCH] Fix permission of SSH host keys (#1971)`

			`If the host-keys are provided the private key permissions have 0600`
			`which is indeed correct. But the public key has 0600 which should`
			`instead be 0644.`

			`With this change the public key is always 0644 and the private key`
			`is 0600 if provided or 640 if generated (to match sshd-keygen`
			`functionality).`
			`---`
			`cloudinit/config/cc_ssh.py \| 4 ++--`
			`tests/unittests/config/test_cc_ssh.py \| 6 +++---`
			`2 files changed, 5 insertions(+), 5 deletions(-)`

			`diff --git a/cloudinit/config/cc_ssh.py b/cloudinit/config/cc_ssh.py`
			`index 33c1fd0..6210627 100644`
			`--- a/cloudinit/config/cc_ssh.py`
			`+++ b/cloudinit/config/cc_ssh.py`
			`@@ -185,8 +185,8 @@ for k in GENERATE_KEY_NAMES:`
			`CONFIG_KEY_TO_FILE.update(`
			`{`
			`f"{k}_private": (KEY_FILE_TPL % k, 0o600),`
			`- f"{k}_public": (f"{KEY_FILE_TPL % k}.pub", 0o600),`
			`- f"{k}_certificate": (f"{KEY_FILE_TPL % k}-cert.pub", 0o600),`
			`+ f"{k}_public": (f"{KEY_FILE_TPL % k}.pub", 0o644),`
			`+ f"{k}_certificate": (f"{KEY_FILE_TPL % k}-cert.pub", 0o644),`
			`}`
			`)`
			`PRIV_TO_PUB[f"{k}_private"] = f"{k}_public"`
			`diff --git a/tests/unittests/config/test_cc_ssh.py b/tests/unittests/config/test_cc_ssh.py`
			`index 47c0c77..c41a50b 100644`
			`--- a/tests/unittests/config/test_cc_ssh.py`
			`+++ b/tests/unittests/config/test_cc_ssh.py`
			`@@ -311,17 +311,17 @@ class TestHandleSsh:`
			`mock.call(`
			`"/etc/ssh/ssh_host_{}_key".format(key_type),`
			`private_value,`
			`- 384,`
			`+ 0o600,`
			`),`
			`mock.call(`
			`"/etc/ssh/ssh_host_{}_key.pub".format(key_type),`
			`public_value,`
			`- 384,`
			`+ 0o644,`
			`),`
			`mock.call(`
			`"/etc/ssh/ssh_host_{}_key-cert.pub".format(key_type),`
			`cert_value,`
			`- 384,`
			`+ 0o644,`
			`),`
			`mock.call(`
			`"/etc/ssh/sshd_config",`
			`--`
			`2.39.1`