| Message ID | 20241010185107.3312768-1-raj.khem@gmail.com |
|---|---|
| State | New |
| Headers | show |
| Series | openssh: Be more restrictive on private key file permissions | expand |
Khem Raj via lists.openembedded.org schrieb am Do 10. Okt, 11:51 (GMT): > mkdir -p "$DIR" > rm -f ${FILE}.tmp > ssh-keygen -q -f "${FILE}.tmp" -N '' -t $TYPE > - > + chmod 0600 "$FILE.tmp" Or maybe `(umask 700 && ssh-keygen -q -f "${FILE}.tmp" -N '' -t $TYPE)` or do at least `chmod go= "$FILE.tmp"` to not add a user write permission ssh-keygen might not have set. Kind regards, Jörg
diff --git a/meta/recipes-connectivity/openssh/openssh/sshd_check_keys b/meta/recipes-connectivity/openssh/openssh/sshd_check_keys index 606d1894b55..fae2bc5d16c 100644 --- a/meta/recipes-connectivity/openssh/openssh/sshd_check_keys +++ b/meta/recipes-connectivity/openssh/openssh/sshd_check_keys @@ -8,7 +8,7 @@ generate_key() { mkdir -p "$DIR" rm -f ${FILE}.tmp ssh-keygen -q -f "${FILE}.tmp" -N '' -t $TYPE - + chmod 0600 "$FILE.tmp" # Atomically rename file public key mv -f "${FILE}.tmp.pub" "${FILE}.pub"
Sometimes default permissions on filesystems can be more permissive e.g. 0644, this can make the private key file created here to inherit those permissions and these permissions can then cause ssh server to not allow ssh connections due to non-secure permissions on file. Reported-by: Jean-Michel Papy <jean-michel.papy@exail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> --- meta/recipes-connectivity/openssh/openssh/sshd_check_keys | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)