cc_ssh.py: fix private key group owner and permissions (#1070) (!12) · Merge requests · Red Hat / centos-stream / src / cloud-init

Emanuele Giuseppe Esposito requested to merge eesposit/cloud-init-centos-:bz_2013644 into c9s Oct 20, 2021

BZ: 2015974
TESTED: by me

commit ee296ced9c0a61b1484d850b807c601bcd670ec1
Author: Emanuele Giuseppe Esposito <eesposit@redhat.com>
Date:   Tue Oct 19 21:32:10 2021 +0200

    cc_ssh.py: fix private key group owner and permissions (#1070)

    When default host keys are created by sshd-keygen (/etc/ssh/ssh_host_*_key)
    in RHEL/CentOS/Fedora, openssh it performs the following:

    // create new keys
    if ! $KEYGEN -q -t $KEYTYPE -f $KEY -C '' -N '' >&/dev/null; then
            exit 1
    fi

    // sanitize permissions
    /usr/bin/chgrp ssh_keys $KEY
    /usr/bin/chmod 640 $KEY
    /usr/bin/chmod 644 $KEY.pub
    Note that the group ssh_keys exists only in RHEL/CentOS/Fedora.

    Now that we disable sshd-keygen to allow only cloud-init to create
    them, we miss the "sanitize permissions" part, where we set the group
    owner as ssh_keys and the private key mode to 640.

    According to https://bugzilla.redhat.com/show_bug.cgi?id=2013644#c8, failing
    to set group ownership and permissions like openssh does makes the RHEL openscap
    tool generate an error.

    Signed-off-by: Emanuele Giuseppe Esposito eesposit@redhat.com

    RHBZ: 2015974

Signed-off-by: Emanuele Giuseppe Esposito <eesposit@redhat.com>

cc_ssh.py: fix private key group owner and permissions (#1070)

Merge request reports