Fwd: [atomic-devel] incorrect permissions

Joe Brockmeier <jzb@xxxxxxxxxx> · Mon, 6 Apr 2015 10:26:08 -0400 (EDT)

For folks not subscribed to atomic-devel.

----- Forwarded Message -----
From: "Scott Collier" <emailscottcollier@xxxxxxxxx>
To: atomic-devel@xxxxxxxxxxxxxxxx
Sent: Friday, April 3, 2015 1:34:38 AM
Subject: [atomic-devel] incorrect permissions

I was testing cockpit on the F22 Atomic image and ran into this issue.  
Cockpit would start, but I could not connect to it because SSH was 
having a problem.  The error cockpit gave after trying to login to the 
web interface was:

"Couldn't connect or authenticate: no-host"

This may have been brought up before, I didn't dig into existing issues.

The problem was permissions on these two files:

/etc/ssh/ssh_host_ecdsa_key
/etc/ssh/ssh_host_rsa_key

The message from "systemctl status sshd" was:

# systemctl status sshd
● sshd.service - OpenSSH server daemon
    Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled; 
vendor preset: enabled)
    Active: active (running) since Fri 2015-04-03 05:27:21 UTC; 7s ago
      Docs: man:sshd(8)
            man:sshd_config(5)
  Main PID: 5183 (sshd)
    Memory: 844.0K
    CGroup: /system.slice/sshd.service
            └─5183 /usr/sbin/sshd -D

Apr 03 05:27:21 atomic-00.localdomain sshd[5183]: 
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Apr 03 05:27:21 atomic-00.localdomain sshd[5183]: @         WARNING: 
UNPROTECTED PRIVATE KEY FILE!          @
Apr 03 05:27:21 atomic-00.localdomain sshd[5183]: 
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Apr 03 05:27:21 atomic-00.localdomain sshd[5183]: Permissions 0640 for 
'/etc/ssh/ssh_host_rsa_key' are too open.
Apr 03 05:27:21 atomic-00.localdomain sshd[5183]: It is required that 
your private key files are NOT accessible by others.
Apr 03 05:27:21 atomic-00.localdomain sshd[5183]: This private key will 
be ignored.
Apr 03 05:27:21 atomic-00.localdomain sshd[5183]: key_load_private: bad 
permissions
Apr 03 05:27:21 atomic-00.localdomain sshd[5183]: Could not load host 
key: /etc/ssh/ssh_host_rsa_key
Apr 03 05:27:21 atomic-00.localdomain sshd[5183]: Server listening on 
0.0.0.0 port 22.
Apr 03 05:27:21 atomic-00.localdomain sshd[5183]: Server listening on :: 
port 22.

So, I changes the permissions on both files to 600 and restarted sshd, 
then cockpit was able to connect.

Version:

# atomic host status
   TIMESTAMP (UTC)         VERSION   ID             OSNAME REFSPEC
* 2015-04-02 10:45:23     22.29     0db0777dfb     fedora-atomic 
fedora-atomic:fedora-atomic/f22/x86_64/docker-host
   2015-03-05 11:02:11     22.6      e1e60980f1     fedora-atomic 
fedora-atomic:fedora-atomic/f22/x86_64/docker-host

-scott

-- 
Joe Brockmeier | Principal Cloud & Storage Analyst
jzb@xxxxxxxxxx | http://community.redhat.com/
Twitter: @jzb  | http://dissociatedpress.net/
_______________________________________________
cloud mailing list
cloud@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/cloud
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct