From 94a00492b11995dd9278605eb29ee4b096ce3a90 Mon Sep 17 00:00:00 2001 From: Ron Gebauer Date: Wed, 25 Jan 2023 22:40:32 +0100 Subject: [PATCH] Fix permission of SSH host keys (#1971) If the host-keys are provided the private key permissions have 0600 which is indeed correct. But the public key has 0600 which should instead be 0644. With this change the public key is always 0644 and the private key is 0600 if provided or 640 if generated (to match sshd-keygen functionality). --- cloudinit/config/cc_ssh.py | 4 ++-- tests/unittests/config/test_cc_ssh.py | 6 +++--- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/cloudinit/config/cc_ssh.py b/cloudinit/config/cc_ssh.py index 33c1fd0..6210627 100644 --- a/cloudinit/config/cc_ssh.py +++ b/cloudinit/config/cc_ssh.py @@ -185,8 +185,8 @@ for k in GENERATE_KEY_NAMES: CONFIG_KEY_TO_FILE.update( { f"{k}_private": (KEY_FILE_TPL % k, 0o600), - f"{k}_public": (f"{KEY_FILE_TPL % k}.pub", 0o600), - f"{k}_certificate": (f"{KEY_FILE_TPL % k}-cert.pub", 0o600), + f"{k}_public": (f"{KEY_FILE_TPL % k}.pub", 0o644), + f"{k}_certificate": (f"{KEY_FILE_TPL % k}-cert.pub", 0o644), } ) PRIV_TO_PUB[f"{k}_private"] = f"{k}_public" diff --git a/tests/unittests/config/test_cc_ssh.py b/tests/unittests/config/test_cc_ssh.py index 47c0c77..c41a50b 100644 --- a/tests/unittests/config/test_cc_ssh.py +++ b/tests/unittests/config/test_cc_ssh.py @@ -311,17 +311,17 @@ class TestHandleSsh: mock.call( "/etc/ssh/ssh_host_{}_key".format(key_type), private_value, - 384, + 0o600, ), mock.call( "/etc/ssh/ssh_host_{}_key.pub".format(key_type), public_value, - 384, + 0o644, ), mock.call( "/etc/ssh/ssh_host_{}_key-cert.pub".format(key_type), cert_value, - 384, + 0o644, ), mock.call( "/etc/ssh/sshd_config", -- 2.39.1