Skip to content

feat: Set RH ssh key permissions when no 'ssh_keys' group (#5296)

Ani Sinha requested to merge anisinha/cloud-init:fix-key-perms-c10s into c10s

Jira: https://issues.redhat.com/browse/RHEL-36456

Fedora core 38 and above, centos 10 stream and all distributions derived from
them do not have the group 'ssh_keys'. Please see the fedora rawhide change
https://src.fedoraproject.org/rpms/openssh/c/7a21555354a2c5e724aa4c287b640c24bf108780?branch=rawhide

In those distributions, openssh versions are 9 and above. The private
key permissions are set as 0o600 and the public key permissions are set as
0o644 from sshd-keygen utility. The 'root' group owns the keys.
Please see
https://src.fedoraproject.org/rpms/openssh/c/b615362fd0b4da657d624571441cb74983de6e3f?branch=rawhide

In older releases where 'ssh_keys' group is present, the private key
permissions are set as 0o640. Public key permissions are 0o644. These
releases have openssh version less than 9.

Since cloud-init generates the keys and not the sshd-genkey utility,
permissions must be set accordingly for cloud-init generated public and
private keys for all cases. This includes cases where 'ssh_keys' group is
absent. This change fixes this. The code has been reworked a little
bit so as to simplify things. Unit tests have been adjusted accordingly.

Signed-off-by: Ani Sinha <anisinha@redhat.com>
(cherry picked from commit 23136e6a94821320a85117a2e4c4bb9b0926541f)

Merge request reports