openssh: limit read access to sshd_config

From: Louis Rannou <louis.rannou@non.se.com>

Enhance security by limiting read access for /etc/sshd_config to user root as it
may reveal unsecure configurations.

Reading access is limited in the install append as the default value 0644 is
hardcoded in the openssh makefile and is not configurable. Therefore the
permissions are modified in the install append.

Signed-off-by: Louis Rannou <louis.rannou@non.se.com>
---
 meta/recipes-connectivity/openssh/openssh_10.0p1.bb | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)


---
base-commit: 77a93e8cf1da4231341c56f64f9d4d474f9f2bb7
change-id: 20250703-sshd_perm-63c8407f962f

Best regards,

Wait. This is security by obscurity. If the configuration are insecure,
then that problem should be fixed, not papered over with permissions that
deviate from upstream default.

Alex

On Thu 3. Jul 2025 at 14.14, Louis Rannou via lists.openembedded.org
<louis.rannou=non.se.com@lists.openembedded.org> wrote:

> From: Louis Rannou <louis.rannou@non.se.com>
>
> Enhance security by limiting read access for /etc/sshd_config to user root
> as it
> may reveal unsecure configurations.
>
> Reading access is limited in the install append as the default value 0644
> is
> hardcoded in the openssh makefile and is not configurable. Therefore the
> permissions are modified in the install append.
>
> Signed-off-by: Louis Rannou <louis.rannou@non.se.com>
> ---
>  meta/recipes-connectivity/openssh/openssh_10.0p1.bb | 7 +++++--
>  1 file changed, 5 insertions(+), 2 deletions(-)
>
> diff --git a/meta/recipes-connectivity/openssh/openssh_10.0p1.bb
> b/meta/recipes-connectivity/openssh/openssh_10.0p1.bb
> index a044aec063..2f446b5540 100644
> --- a/meta/recipes-connectivity/openssh/openssh_10.0p1.bb
> +++ b/meta/recipes-connectivity/openssh/openssh_10.0p1.bb
> @@ -102,7 +102,7 @@ CACHED_CONFIGUREVARS += "ac_cv_header_maillock_h=no"
>
>  do_configure:prepend () {
>         export LD="${CC}"
> -       install -m 0644 ${UNPACKDIR}/sshd_config ${B}/
> +       install -m 0600 ${UNPACKDIR}/sshd_config ${B}/
>         install -m 0644 ${UNPACKDIR}/ssh_config ${B}/
>  }
>
> @@ -153,9 +153,12 @@ do_install:append () {
>         install -m 644 ${UNPACKDIR}/volatiles.99_sshd
> ${D}/${sysconfdir}/default/volatiles/99_sshd
>         install -m 0755 ${S}/contrib/ssh-copy-id ${D}${bindir}
>
> +       # Limit sshd_config access to the owner (default is 0644)
> +       chmod 0600 ${D}${sysconfdir}/ssh/sshd_config
> +
>         # Create config files for read-only rootfs
>         install -d ${D}${sysconfdir}/ssh
> -       install -m 644 ${D}${sysconfdir}/ssh/sshd_config
> ${D}${sysconfdir}/ssh/sshd_config_readonly
> +       install -m 0600 ${D}${sysconfdir}/ssh/sshd_config
> ${D}${sysconfdir}/ssh/sshd_config_readonly
>
>         install -d ${D}${systemd_system_unitdir}
>         if
> ${@bb.utils.contains('PACKAGECONFIG','systemd-sshd-socket-mode','true','false',d)};
> then
>
> ---
> base-commit: 77a93e8cf1da4231341c56f64f9d4d474f9f2bb7
> change-id: 20250703-sshd_perm-63c8407f962f
>
> Best regards,
> --
> Louis Rannou <louis.rannou@non.se.com>
>
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#219877):
> https://lists.openembedded.org/g/openembedded-core/message/219877
> Mute This Topic: https://lists.openembedded.org/mt/113964575/1686489
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [
> alex.kanavin@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
>