Skip to content

cc_ssh.py: Change private keyfile mode to 600#1121

Closed
Jianlin-lv wants to merge 1 commit into
canonical:mainfrom
Jianlin-lv:pr-fix-sshd-issue
Closed

cc_ssh.py: Change private keyfile mode to 600#1121
Jianlin-lv wants to merge 1 commit into
canonical:mainfrom
Jianlin-lv:pr-fix-sshd-issue

Conversation

@Jianlin-lv
Copy link
Copy Markdown

@Jianlin-lv Jianlin-lv commented Nov 26, 2021

sshd required that private key files are not accessible by others.
Permissions 0640 for keyfile are too open.

One use case is provision one ubuntu 20.04 VM with sshd version
‘OpenSSH_8.2p1 Ubuntu-4ubuntu0.3’.
ssh.service process is aborted, because ExecStartPre=‘/usr/sbin/sshd -t’
run failed. Can’t connect vm using ssh connection anymore.
So change private key files to 600 mode.

Signed-off-by: Jianlin Lv lvlin@mail.ustc.edu.cn

Proposed Commit Message

I provisioned one Ubuntu 20.04 VM and can't login with ssh.
ssh.service startup failed, because ExecStartPre=‘/usr/sbin/sshd -t’ returns an error.
The root cause is the permissions of private key are too open.

Additional Context

Test Steps

Checklist:

  • My code follows the process laid out in the documentation
  • I have updated or added any unit tests accordingly
  • I have updated or added any documentation accordingly

@Jianlin-lv
cc_ssh.py: Change keyfile mode to 600
8e2d022 
sshd required that private key files are not accessible by others.
Permissions 0640 for keyfile are too open.

One use case is provision one ubuntu 20.04 VM with sshd version
‘OpenSSH_8.2p1 Ubuntu-4ubuntu0.3’. ssh.service process is aborted,
because ExecStartPre=‘/usr/sbin/sshd -t’ run failed.
Can’t connect vm using ssh connection anymore. So change private key
files to 600 mode.

Signed-off-by: Jianlin Lv <lvlin@mail.ustc.edu.cn>
@TheRealFalcon
Copy link
Copy Markdown
Contributor

TheRealFalcon commented Nov 29, 2021

Hey @Jianlin-lv , these permissions are set intentionally on RHEL/CentOS/Fedora due to a requirement on those systems. See #1070 where the change was added. These permissions should only get set if there's an "ssh_keys" group, which shouldn't exist on Ubuntu.

How are you deploying your instance? Do you have a manually created "ssh_keys" group?

@Jianlin-lv
Copy link
Copy Markdown
Author

Jianlin-lv commented Dec 6, 2021

Hey @Jianlin-lv , these permissions are set intentionally on RHEL/CentOS/Fedora due to a requirement on those systems. See #1070 where the change was added. These permissions should only get set if there's an "ssh_keys" group, which shouldn't exist on Ubuntu.

How are you deploying your instance? Do you have a manually created "ssh_keys" group?

We created the "ssh_keys" group, which is inherited from Centos.
It seems that deleting the "ssh_keys" group can solve the problem I encountered.

@TheRealFalcon
Copy link
Copy Markdown
Contributor

TheRealFalcon commented Dec 6, 2021

We created the "ssh_keys" group, which is inherited from Centos.
It seems that deleting the "ssh_keys" group can solve the problem I encountered.

Thanks for the update. I'm going to close this PR then. If you believe there is still something to be addressed, feel free to re-open or create a new PR.

@xiaoge1001 xiaoge1001 mentioned this pull request Mar 14, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Jianlin-lv @TheRealFalcon