Fix permission of SSH host keys
This commit is contained in:
sxt1001
parent
b59461e1ef
commit
2aedc75151
60
backport-Fix-permission-of-SSH-host-keys-1971.patch
Normal file
60
backport-Fix-permission-of-SSH-host-keys-1971.patch
Normal file
@ -0,0 +1,60 @@
|
|||||||
|
From 94a00492b11995dd9278605eb29ee4b096ce3a90 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Ron Gebauer <Mazorius@users.noreply.github.com>
|
||||||
|
Date: Wed, 25 Jan 2023 22:40:32 +0100
|
||||||
|
Subject: [PATCH] Fix permission of SSH host keys (#1971)
|
||||||
|
|
||||||
|
If the host-keys are provided the private key permissions have 0600
|
||||||
|
which is indeed correct. But the public key has 0600 which should
|
||||||
|
instead be 0644.
|
||||||
|
|
||||||
|
With this change the public key is always 0644 and the private key
|
||||||
|
is 0600 if provided or 640 if generated (to match sshd-keygen
|
||||||
|
functionality).
|
||||||
|
---
|
||||||
|
cloudinit/config/cc_ssh.py | 4 ++--
|
||||||
|
tests/unittests/config/test_cc_ssh.py | 6 +++---
|
||||||
|
2 files changed, 5 insertions(+), 5 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/cloudinit/config/cc_ssh.py b/cloudinit/config/cc_ssh.py
|
||||||
|
index 33c1fd0..6210627 100644
|
||||||
|
--- a/cloudinit/config/cc_ssh.py
|
||||||
|
+++ b/cloudinit/config/cc_ssh.py
|
||||||
|
@@ -185,8 +185,8 @@ for k in GENERATE_KEY_NAMES:
|
||||||
|
CONFIG_KEY_TO_FILE.update(
|
||||||
|
{
|
||||||
|
f"{k}_private": (KEY_FILE_TPL % k, 0o600),
|
||||||
|
- f"{k}_public": (f"{KEY_FILE_TPL % k}.pub", 0o600),
|
||||||
|
- f"{k}_certificate": (f"{KEY_FILE_TPL % k}-cert.pub", 0o600),
|
||||||
|
+ f"{k}_public": (f"{KEY_FILE_TPL % k}.pub", 0o644),
|
||||||
|
+ f"{k}_certificate": (f"{KEY_FILE_TPL % k}-cert.pub", 0o644),
|
||||||
|
}
|
||||||
|
)
|
||||||
|
PRIV_TO_PUB[f"{k}_private"] = f"{k}_public"
|
||||||
|
diff --git a/tests/unittests/config/test_cc_ssh.py b/tests/unittests/config/test_cc_ssh.py
|
||||||
|
index 47c0c77..c41a50b 100644
|
||||||
|
--- a/tests/unittests/config/test_cc_ssh.py
|
||||||
|
+++ b/tests/unittests/config/test_cc_ssh.py
|
||||||
|
@@ -311,17 +311,17 @@ class TestHandleSsh:
|
||||||
|
mock.call(
|
||||||
|
"/etc/ssh/ssh_host_{}_key".format(key_type),
|
||||||
|
private_value,
|
||||||
|
- 384,
|
||||||
|
+ 0o600,
|
||||||
|
),
|
||||||
|
mock.call(
|
||||||
|
"/etc/ssh/ssh_host_{}_key.pub".format(key_type),
|
||||||
|
public_value,
|
||||||
|
- 384,
|
||||||
|
+ 0o644,
|
||||||
|
),
|
||||||
|
mock.call(
|
||||||
|
"/etc/ssh/ssh_host_{}_key-cert.pub".format(key_type),
|
||||||
|
cert_value,
|
||||||
|
- 384,
|
||||||
|
+ 0o644,
|
||||||
|
),
|
||||||
|
mock.call(
|
||||||
|
"/etc/ssh/sshd_config",
|
||||||
|
--
|
||||||
|
2.39.1
|
||||||
|
|
||||||
@ -1,6 +1,6 @@
|
|||||||
Name: cloud-init
|
Name: cloud-init
|
||||||
Version: 22.2
|
Version: 22.2
|
||||||
Release: 5
|
Release: 6
|
||||||
Summary: the defacto multi-distribution package that handles early initialization of a cloud instance.
|
Summary: the defacto multi-distribution package that handles early initialization of a cloud instance.
|
||||||
License: ASL 2.0 or GPLv3
|
License: ASL 2.0 or GPLv3
|
||||||
URL: http://launchpad.net/cloud-init
|
URL: http://launchpad.net/cloud-init
|
||||||
@ -13,6 +13,9 @@ Patch1: bugfix-cloud-init-add-os-support.patch
|
|||||||
Patch2: bugfix-sort-requirements.patch
|
Patch2: bugfix-sort-requirements.patch
|
||||||
Patch3: add-variable-to-forbid-tmp-dir.patch
|
Patch3: add-variable-to-forbid-tmp-dir.patch
|
||||||
Patch4: Fix-the-error-level-logs-displayed-for-the-cloud-init-local-service.patch
|
Patch4: Fix-the-error-level-logs-displayed-for-the-cloud-init-local-service.patch
|
||||||
|
Patch5: backport-Fix-permission-of-SSH-host-keys-1971.patch
|
||||||
|
|
||||||
|
Patch9000: fix-permission-of-the-private-key.patch
|
||||||
|
|
||||||
BuildRequires: pkgconfig(systemd) python3-devel python3-setuptools systemd
|
BuildRequires: pkgconfig(systemd) python3-devel python3-setuptools systemd
|
||||||
BuildRequires: iproute python3-configobj python3-httpretty >= 0.8.14-2
|
BuildRequires: iproute python3-configobj python3-httpretty >= 0.8.14-2
|
||||||
@ -127,6 +130,9 @@ fi
|
|||||||
%exclude /usr/share/doc/*
|
%exclude /usr/share/doc/*
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Tue Mar 14 2023 shixuantong <shixuantong1@huawei.com> - 22.2-6
|
||||||
|
- Fix permission of SSH host keys
|
||||||
|
|
||||||
* Thu Feb 02 2023 shixuantong <shixuantong1@huawei.com> - 22.2-5
|
* Thu Feb 02 2023 shixuantong <shixuantong1@huawei.com> - 22.2-5
|
||||||
- revert make the same authentication behavior for arm and x86 machine
|
- revert make the same authentication behavior for arm and x86 machine
|
||||||
|
|
||||||
|
|||||||
25
fix-permission-of-the-private-key.patch
Normal file
25
fix-permission-of-the-private-key.patch
Normal file
@ -0,0 +1,25 @@
|
|||||||
|
From ef18ff5a437e9abe91c81289157a4e846169736a Mon Sep 17 00:00:00 2001
|
||||||
|
From: shixuantong <shixuantong1@huawei.com>
|
||||||
|
Date: Tue, 14 Mar 2023 07:38:03 +0000
|
||||||
|
Subject: [PATCH] fix permission of the private key
|
||||||
|
|
||||||
|
---
|
||||||
|
cloudinit/config/cc_ssh.py | 2 +-
|
||||||
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/cloudinit/config/cc_ssh.py b/cloudinit/config/cc_ssh.py
|
||||||
|
index 6210627..bc4a158 100644
|
||||||
|
--- a/cloudinit/config/cc_ssh.py
|
||||||
|
+++ b/cloudinit/config/cc_ssh.py
|
||||||
|
@@ -274,7 +274,7 @@ def handle(_name, cfg, cloud: Cloud, log: Logger, _args):
|
||||||
|
if gid != -1:
|
||||||
|
# perform same "sanitize permissions" as sshd-keygen
|
||||||
|
os.chown(keyfile, -1, gid)
|
||||||
|
- os.chmod(keyfile, 0o640)
|
||||||
|
+ os.chmod(keyfile, 0o600)
|
||||||
|
os.chmod(keyfile + ".pub", 0o644)
|
||||||
|
except subp.ProcessExecutionError as e:
|
||||||
|
err = util.decode_binary(e.stderr).lower()
|
||||||
|
--
|
||||||
|
2.39.1
|
||||||
|
|
||||||
Loading…
x
Reference in New Issue
Block a user