From 9aa2e8a408ce61e2d2ccc1dbd5f9c9b97848d2c9 Mon Sep 17 00:00:00 2001
From: Ron Gebauer <Mazorius@users.noreply.github.com>
Date: Thu, 19 Jan 2023 21:26:45 +0100
Subject: [PATCH 1/5] change: perm for ssh host keys

private keys should have 0600: https://www.tenable.com/audits/items/CIS_Google_Container_Optimized_OS_v1.0.0_L1_Server.audit:6225b8224fbd4f360ebdc72c56f3eae9
public keys should have 0644: https://www.tenable.com/audits/items/CIS_Google_Container_Optimized_OS_v1.0.0_L1_Server.audit:7f016cd406100a1ee2ad94834111f005
---
 cloudinit/config/cc_ssh.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/cloudinit/config/cc_ssh.py b/cloudinit/config/cc_ssh.py
index c9e59d1690b..2a58f66c849 100644
--- a/cloudinit/config/cc_ssh.py
+++ b/cloudinit/config/cc_ssh.py
@@ -187,7 +187,7 @@
     CONFIG_KEY_TO_FILE.update(
         {
             f"{k}_private": (KEY_FILE_TPL % k, 0o600),
-            f"{k}_public": (f"{KEY_FILE_TPL % k}.pub", 0o600),
+            f"{k}_public": (f"{KEY_FILE_TPL % k}.pub", 0o644),
             f"{k}_certificate": (f"{KEY_FILE_TPL % k}-cert.pub", 0o600),
         }
     )
@@ -278,7 +278,7 @@ def handle(
                     if gid != -1:
                         # perform same "sanitize permissions" as sshd-keygen
                         os.chown(keyfile, -1, gid)
-                        os.chmod(keyfile, 0o640)
+                        os.chmod(keyfile, 0o600)
                         os.chmod(keyfile + ".pub", 0o644)
                 except subp.ProcessExecutionError as e:
                     err = util.decode_binary(e.stderr).lower()

From 4f873e42abe539611bac6e80120d4d633f8eb57c Mon Sep 17 00:00:00 2001
From: Ron Gebauer <Mazorius@users.noreply.github.com>
Date: Fri, 20 Jan 2023 11:53:42 +0100
Subject: [PATCH 2/5] fix: use octal and correct pubkey

change to octal and use 420 for public
- 384 => 0o600
- 420 => 0o644
- 384 => 0o600
---
 tests/unittests/config/test_cc_ssh.py | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/tests/unittests/config/test_cc_ssh.py b/tests/unittests/config/test_cc_ssh.py
index 8f2ca8bfeec..38717056a44 100644
--- a/tests/unittests/config/test_cc_ssh.py
+++ b/tests/unittests/config/test_cc_ssh.py
@@ -330,17 +330,17 @@ def test_handle_ssh_keys_in_cfg(
                     mock.call(
                         "/etc/ssh/ssh_host_{}_key".format(key_type),
                         private_value,
-                        384,
+                        0o600,
                     ),
                     mock.call(
                         "/etc/ssh/ssh_host_{}_key.pub".format(key_type),
                         public_value,
-                        384,
+                        0o644,
                     ),
                     mock.call(
                         "/etc/ssh/ssh_host_{}_key-cert.pub".format(key_type),
                         cert_value,
-                        384,
+                        0o600,
                     ),
                     mock.call(
                         sshd_conf_fname,

From 9d4c6ecd03a38f05e5fe18cbcb714970c9c76c39 Mon Sep 17 00:00:00 2001
From: Ron Gebauer <Mazorius@users.noreply.github.com>
Date: Fri, 20 Jan 2023 13:31:16 +0100
Subject: [PATCH 3/5] add: username to cla signers

---
 tools/.github-cla-signers | 1 +
 1 file changed, 1 insertion(+)

diff --git a/tools/.github-cla-signers b/tools/.github-cla-signers
index 77962d87e55..6833aa9a8b3 100644
--- a/tools/.github-cla-signers
+++ b/tools/.github-cla-signers
@@ -80,6 +80,7 @@ MarkMielke
 marlluslustosa
 matthewruffell
 maxnet
+Mazorius
 megian
 michaelrommel
 mitechie

From e49852d44aba7e32e763244af2cb152b214b2306 Mon Sep 17 00:00:00 2001
From: Ron Gebauer <Mazorius@users.noreply.github.com>
Date: Fri, 20 Jan 2023 13:38:51 +0100
Subject: [PATCH 4/5] fix: cert is also public and should be 644

---
 cloudinit/config/cc_ssh.py            | 2 +-
 tests/unittests/config/test_cc_ssh.py | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/cloudinit/config/cc_ssh.py b/cloudinit/config/cc_ssh.py
index 2a58f66c849..9bfcb4a83d5 100644
--- a/cloudinit/config/cc_ssh.py
+++ b/cloudinit/config/cc_ssh.py
@@ -188,7 +188,7 @@
         {
             f"{k}_private": (KEY_FILE_TPL % k, 0o600),
             f"{k}_public": (f"{KEY_FILE_TPL % k}.pub", 0o644),
-            f"{k}_certificate": (f"{KEY_FILE_TPL % k}-cert.pub", 0o600),
+            f"{k}_certificate": (f"{KEY_FILE_TPL % k}-cert.pub", 0o644),
         }
     )
     PRIV_TO_PUB[f"{k}_private"] = f"{k}_public"
diff --git a/tests/unittests/config/test_cc_ssh.py b/tests/unittests/config/test_cc_ssh.py
index 38717056a44..cc4032de36c 100644
--- a/tests/unittests/config/test_cc_ssh.py
+++ b/tests/unittests/config/test_cc_ssh.py
@@ -340,7 +340,7 @@ def test_handle_ssh_keys_in_cfg(
                     mock.call(
                         "/etc/ssh/ssh_host_{}_key-cert.pub".format(key_type),
                         cert_value,
-                        0o600,
+                        0o644,
                     ),
                     mock.call(
                         sshd_conf_fname,

From 8bf97a63b9877f42d6a8cfd31c011f6ea57a83f0 Mon Sep 17 00:00:00 2001
From: Ron Gebauer <Mazorius@users.noreply.github.com>
Date: Tue, 24 Jan 2023 10:22:37 +0100
Subject: [PATCH 5/5] change back to 0o640 as discussed

---
 cloudinit/config/cc_ssh.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cloudinit/config/cc_ssh.py b/cloudinit/config/cc_ssh.py
index 9bfcb4a83d5..c01dd48c54c 100644
--- a/cloudinit/config/cc_ssh.py
+++ b/cloudinit/config/cc_ssh.py
@@ -278,7 +278,7 @@ def handle(
                     if gid != -1:
                         # perform same "sanitize permissions" as sshd-keygen
                         os.chown(keyfile, -1, gid)
-                        os.chmod(keyfile, 0o600)
+                        os.chmod(keyfile, 0o640)
                         os.chmod(keyfile + ".pub", 0o644)
                 except subp.ProcessExecutionError as e:
                     err = util.decode_binary(e.stderr).lower()