From 08d842d5e8cb0edc7fe17c1f96b74f3b503733e3 Mon Sep 17 00:00:00 2001 From: Dusty Mabe Date: Mar 03 2023 14:56:51 +0000 Subject: Use a service unit to strip ssh_keys group from host keys (rhbz#2172956) Use a systemd service unit to strip the ssh_keys group and change the mode for host keys. This ensure that this migration is done right before the openssh server startup on all kind of systems, either RPM or rpm-ostree based. Use a marker file to only do this once. We need to keep this service unit for two Fedora releases so we will be able to remove it in Fedora 40. See: https://fedoraproject.org/wiki/Changes/SSHKeySignSuidBit Fixes: 7a21555 Get rid of ssh_keys group for new installations Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2172956 Co-authored-by: Timothée Ravier --- diff --git a/openssh.spec b/openssh.spec index dd5fa64..2b5a3ec 100644 --- a/openssh.spec +++ b/openssh.spec @@ -47,7 +47,7 @@ # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1 %global openssh_ver 9.0p1 -%global openssh_rel 10 +%global openssh_rel 11 %global pam_ssh_agent_ver 0.10.4 %global pam_ssh_agent_rel 7 @@ -74,6 +74,8 @@ Source15: sshd-keygen.target Source16: ssh-agent.service Source17: ssh-agent.socket Source19: openssh-server-systemd-sysusers.conf +Source20: ssh-host-keys-migration.sh +Source21: ssh-host-keys-migration.service #https://bugzilla.mindrot.org/show_bug.cgi?id=2581 Patch100: openssh-6.7p1-coverity.patch @@ -582,6 +584,10 @@ install -m755 contrib/ssh-copy-id $RPM_BUILD_ROOT%{_bindir}/ install contrib/ssh-copy-id.1 $RPM_BUILD_ROOT%{_mandir}/man1/ install -d -m711 ${RPM_BUILD_ROOT}/%{_datadir}/empty.sshd install -p -D -m 0644 %{SOURCE19} %{buildroot}%{_sysusersdir}/openssh-server.conf +# Migration service/script for Fedora 38 change to remove group ownership for standard host keys +# See https://fedoraproject.org/wiki/Changes/SSHKeySignSuidBit +install -m744 %{SOURCE20} $RPM_BUILD_ROOT/%{_libexecdir}/openssh/ssh-host-keys-migration.sh +install -m644 %{SOURCE21} $RPM_BUILD_ROOT/%{_unitdir}/ssh-host-keys-migration.service # enabled in 90-default.preset %if ! %{no_gnome_askpass} install contrib/gnome-ssh-askpass $RPM_BUILD_ROOT%{_libexecdir}/openssh/gnome-ssh-askpass @@ -608,13 +614,16 @@ popd %pre server %sysusers_create_compat %{SOURCE19} -# Migration scriptlet for Fedora 38/39 -# We want to remove group ownership for standard host keys if they exist -test -f /etc/ssh/ssh_host_rsa_key && /usr/bin/chmod g-r /etc/ssh/ssh_host_rsa_key || : -test -f /etc/ssh/ssh_host_ecdsa_key && /usr/bin/chmod g-r /etc/ssh/ssh_host_ecdsa_key || : -test -f /etc/ssh/ssh_host_ed25519_key && /usr/bin/chmod g-r /etc/ssh/ssh_host_ed25519_key || : %post server +if [ $1 -gt 1 ]; then + # In the case of an upgrade (never true on OSTree systems) run the migration + # script for Fedora 38 to remove group ownership for host keys. + %{_libexecdir}/openssh/ssh-host-keys-migration.sh + # Prevent the systemd unit that performs the same service (useful for + # OSTree systems) from running. + touch /var/lib/.ssh-host-keys-migration +fi %systemd_post sshd.service sshd.socket # Migration scriptlet for Fedora 31 and 32 installations to sshd_config # drop-in directory (in F32+). @@ -699,6 +708,8 @@ test -f %{sysconfig_anaconda} && \ %attr(0644,root,root) %{_unitdir}/sshd-keygen@.service %attr(0644,root,root) %{_unitdir}/sshd-keygen.target %attr(0644,root,root) %{_sysusersdir}/openssh-server.conf +%attr(0644,root,root) %{_unitdir}/ssh-host-keys-migration.service +%attr(0744,root,root) %{_libexecdir}/openssh/ssh-host-keys-migration.sh %files keycat %doc HOWTO.ssh-keycat @@ -720,6 +731,10 @@ test -f %{sysconfig_anaconda} && \ %endif %changelog +* Wed Mar 01 2023 Dusty Mabe - 9.0p1-11 +- Provide a systemd unit for restoring default host key permissions (rhbz#2172956) +- Co-Authored by Timothée Ravier + * Mon Jan 23 2023 Dmitry Belyavskiy - 9.0p1-10 - Restore upstream behaviour and default host key permissions (rhbz#2141272) diff --git a/ssh-host-keys-migration.service b/ssh-host-keys-migration.service new file mode 100644 index 0000000..41e2c6b --- /dev/null +++ b/ssh-host-keys-migration.service @@ -0,0 +1,15 @@ +[Unit] +Description=Update OpenSSH host key permissions +Documentation=https://fedoraproject.org/wiki/Changes/SSHKeySignSuidBit +Before=sshd.service +After=ssh-keygen.target +ConditionPathExists=!/var/lib/.ssh-host-keys-migration + +[Service] +Type=oneshot +ExecStart=-/usr/libexec/openssh/ssh-host-keys-migration.sh +ExecStart=touch /var/lib/.ssh-host-keys-migration +RemainAfterExit=yes + +[Install] +WantedBy=sshd.service diff --git a/ssh-host-keys-migration.sh b/ssh-host-keys-migration.sh new file mode 100644 index 0000000..f01ab86 --- /dev/null +++ b/ssh-host-keys-migration.sh @@ -0,0 +1,38 @@ +#!/usr/bin/bash +set -eu -o pipefail +# Detect existing non-conforming host keys and perform the permissions migration +# https://fedoraproject.org/wiki/Changes/SSHKeySignSuidBit +# +# Example output looks like: +# @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ +# @ WARNING: UNPROTECTED PRIVATE KEY FILE! @ +# @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ +# Permissions 0640 for '/etc/ssh/ssh_host_rsa_key' are too open. +# It is required that your private key files are NOT accessible by others. +# This private key will be ignored. +# @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ +# @ WARNING: UNPROTECTED PRIVATE KEY FILE! @ +# @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ +# Permissions 0640 for '/etc/ssh/ssh_host_ecdsa_key' are too open. +# It is required that your private key files are NOT accessible by others. +# This private key will be ignored. +# @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ +# @ WARNING: UNPROTECTED PRIVATE KEY FILE! @ +# @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ +# Permissions 0640 for '/etc/ssh/ssh_host_ed25519_key' are too open. +# It is required that your private key files are NOT accessible by others. +# This private key will be ignored. +# sshd: no hostkeys available -- exiting. +# +output="$(sshd -T 2>&1 || true)" # expected to fail +if grep -q "sshd: no hostkeys available" <<< "$output"; then + while read line; do + if [[ $line =~ ^Permissions\ [0-9]+\ for\ \'(.*)\'\ are\ too\ open. ]]; then + keyfile=${BASH_REMATCH[1]} + echo $line + echo -e "\t-> changing permissions on $keyfile" + chmod --verbose g-r $keyfile + chown --verbose root:root $keyfile + fi + done <<< "$output" +fi