| Message ID | 20241011194251.1053651-1-raj.khem@gmail.com |
|---|---|
| State | New |
| Headers | show |
| Series | [v2] openssh: Be more restrictive on private key file permissions | expand |
diff --git a/meta/recipes-connectivity/openssh/openssh/sshd_check_keys b/meta/recipes-connectivity/openssh/openssh/sshd_check_keys index 606d1894b55..bbb6a149088 100644 --- a/meta/recipes-connectivity/openssh/openssh/sshd_check_keys +++ b/meta/recipes-connectivity/openssh/openssh/sshd_check_keys @@ -8,7 +8,7 @@ generate_key() { mkdir -p "$DIR" rm -f ${FILE}.tmp ssh-keygen -q -f "${FILE}.tmp" -N '' -t $TYPE - + chmod go-rwx "$FILE.tmp" # Atomically rename file public key mv -f "${FILE}.tmp.pub" "${FILE}.pub"
Sometimes default permissions on filesystems can be more permissive e.g. 0644, this can make the private key file created here to inherit those permissions and these permissions can then cause ssh server to not allow ssh connections due to non-secure permissions on file. Reported-by: Jean-Michel Papy <jean-michel.papy@exail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> Cc: Jörg Sommer <joerg.sommer@navimatix.de> --- v2: Remove o and g permissions only meta/recipes-connectivity/openssh/openssh/sshd_check_keys | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)