Re: OpenSSH: hardening hostkeys permissions

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, Dec 07, 2022 at 01:48:48PM +0100, Dmitry Belyavskiy wrote:
> The problem we expect is that after reverting the patch we can lose the
> remote access to the hosts because sshd will reject starting because of
> group reading permissions. This should be covered by the upgrade scriptlet,
> though we still may come across some issues, especially if you use host
> keys in non-standard locations. How do we properly implement this feature
> to avoid customers' negative feedback? Current upgrade scriptlet covers
> standard key locations/names and works well enough at the 1st glance.

In terms of upgrade impact the upgrade scriptlet may not be sufficient
to mitigate the compat risk. It is possible that there are puppet/ansible
recipes that will be setting file ownership/permissions on the keys,
which might be liable to undo the effect of any RPM upgrade scriptlet.

> The proposed changes are available
> https://src.fedoraproject.org/rpms/openssh/pull-request/37
> 
> A separate question is whether we want to publish this announcement as a
> Fedora change and at what level. For me it looks like a self-contained
> change.

Publishing a Fedora change looks like a wise idea, given the upgrade
risk and its possible ripple effect to OS config mgmt tools like puppet
and ansible.

With regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux