cc_ssh.py: fix private key group owner and permissions

[esposem]

Proposed Commit Message

When default host keys are created by sshd-keygen (/etc/ssh/ssh_host_*_key)
in RHEL/CentOS/Fedora, openssh it performs the following:

# create new keys
if ! $KEYGEN -q -t $KEYTYPE -f $KEY -C '' -N '' >&/dev/null; then
        exit 1
fi

# sanitize permissions
/usr/bin/chgrp ssh_keys $KEY
/usr/bin/chmod 640 $KEY
/usr/bin/chmod 644 $KEY.pub

Note that the group ssh_keys exists only in RHEL/CentOS/Fedora.

Now that we disable sshd-keygen to allow only cloud-init to create
them, we miss the "sanitize permissions" part, where we set the group
owner as ssh_keys and the private key mode to 640.

According to https://bugzilla.redhat.com/show_bug.cgi?id=2013644#c8, failing
to set group ownership and permissions like openssh does makes the RHEL openscap
tool generate an error.

Signed-off-by: Emanuele Giuseppe Esposito eesposit@redhat.com

RHBZ: 2013644

Test Steps

Check permissions after cloud-init has generated ssh host keys:

ll /etc/ssh/

-rw-------. 1 root root    545 Oct 14 13:03 ssh_host_ecdsa_key
-rw-r--r--. 1 root root    209 Oct 14 13:03 ssh_host_ecdsa_key.pub
-rw-------. 1 root root    452 Oct 14 13:03 ssh_host_ed25519_key
-rw-r--r--. 1 root root    129 Oct 14 13:03 ssh_host_ed25519_key.pub
-rw-------. 1 root root   2643 Oct 14 13:03 ssh_host_rsa_key
-rw-r--r--. 1 root root    601 Oct 14 13:03 ssh_host_rsa_key.pub

Checklist:

• My code follows the process laid out in the documentation
• I have updated or added any unit tests accordingly
• I have updated or added any documentation accordingly

[TheRealFalcon]

Thanks!