Re: OpenSSH: hardening hostkeys permissions

Dear Daniel, Thanks for your feedback! On Wed, Dec 7, 2022 at 2:55 PM Daniel P. Berrangé <berrange(a)redhat.com&gt; wrote: > On Wed, Dec 07, 2022 at 01:48:48PM +0100, Dmitry Belyavskiy wrote: > > The problem we expect is that after reverting the patch we can lose the > > remote access to the hosts because sshd will reject starting because of > > group reading permissions. This should be covered by the upgrade > scriptlet, > > though we still may come across some issues, especially if you use host > > keys in non-standard locations. How do we properly implement this feature > > to avoid customers' negative feedback? Current upgrade scriptlet covers > > standard key locations/names and works well enough at the 1st glance. > > In terms of upgrade impact the upgrade scriptlet may not be sufficient > to mitigate the compat risk. It is possible that there are puppet/ansible > recipes that will be setting file ownership/permissions on the keys, > which might be liable to undo the effect of any RPM upgrade scriptlet. > > > The proposed changes are available > > https://src.fedoraproject.org/rpms/openssh/pull-request/37 > > > > A separate question is whether we want to publish this announcement as a > > Fedora change and at what level. For me it looks like a self-contained > > change. > > Publishing a Fedora change looks like a wise idea, given the upgrade > risk and its possible ripple effect to OS config mgmt tools like puppet > and ansible. > Drafted here, to be published: https://fedoraproject.org/wiki/Changes/SSHKeySignSuidBit