cc_ssh.py: fix private key group owner and permissions (#1070) - vyos-cloud-init.git - (mirror of https://github.com/marekm72/vyos-cloud-init.git)

diff options

author	Emanuele Giuseppe Esposito <eesposit@redhat.com>	2021-10-19 21:32:10 +0200
committer	GitHub <noreply@github.com>	2021-10-19 14:32:10 -0500
commit	ee296ced9c0a61b1484d850b807c601bcd670ec1 (patch)
tree	211f359af3c202f3eb28628dcfa8aa5842e4ae8c /tests
parent	a0a68a24c34ee268962e7a3c3844c59ab4036bf9 (diff)
download	vyos-cloud-init-ee296ced9c0a61b1484d850b807c601bcd670ec1.tar.gz vyos-cloud-init-ee296ced9c0a61b1484d850b807c601bcd670ec1.zip

cc_ssh.py: fix private key group owner and permissions (#1070)

When default host keys are created by sshd-keygen (/etc/ssh/ssh_host_*_key) in RHEL/CentOS/Fedora, openssh it performs the following: # create new keys if ! $KEYGEN -q -t $KEYTYPE -f $KEY -C '' -N '' >&/dev/null; then exit 1 fi # sanitize permissions /usr/bin/chgrp ssh_keys $KEY /usr/bin/chmod 640 $KEY /usr/bin/chmod 644 $KEY.pub Note that the group ssh_keys exists only in RHEL/CentOS/Fedora. Now that we disable sshd-keygen to allow only cloud-init to create them, we miss the "sanitize permissions" part, where we set the group owner as ssh_keys and the private key mode to 640. According to https://bugzilla.redhat.com/show_bug.cgi?id=2013644#c8, failing to set group ownership and permissions like openssh does makes the RHEL openscap tool generate an error. Signed-off-by: Emanuele Giuseppe Esposito eesposit@redhat.com RHBZ: 2013644

Diffstat (limited to 'tests')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: