From 8e2d022fe944f6c1661611d73ea43ce610345393 Mon Sep 17 00:00:00 2001 From: Jianlin Lv Date: Fri, 26 Nov 2021 16:02:49 +0000 Subject: [PATCH] cc_ssh.py: Change keyfile mode to 600 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit sshd required that private key files are not accessible by others. Permissions 0640 for keyfile are too open. One use case is provision one ubuntu 20.04 VM with sshd version ‘OpenSSH_8.2p1 Ubuntu-4ubuntu0.3’. ssh.service process is aborted, because ExecStartPre=‘/usr/sbin/sshd -t’ run failed. Can’t connect vm using ssh connection anymore. So change private key files to 600 mode. Signed-off-by: Jianlin Lv --- cloudinit/config/cc_ssh.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cloudinit/config/cc_ssh.py b/cloudinit/config/cc_ssh.py index 1053ab67c24..2a88bfc66bc 100755 --- a/cloudinit/config/cc_ssh.py +++ b/cloudinit/config/cc_ssh.py @@ -252,7 +252,7 @@ def handle(_name, cfg, cloud, log, _args): if gid != -1: # perform same "sanitize permissions" as sshd-keygen os.chown(keyfile, -1, gid) - os.chmod(keyfile, 0o640) + os.chmod(keyfile, 0o600) os.chmod(keyfile + ".pub", 0o644) except subp.ProcessExecutionError as e: err = util.decode_binary(e.stderr).lower()