Re: OpenSSH: hardening hostkeys permissions

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, Dec 08, 2022 at 03:41:32PM +0100, Dmitry Belyavskiy wrote:
> Dear Daniel,
> Thanks for your feedback!
> 
> On Wed, Dec 7, 2022 at 2:55 PM Daniel P. Berrangé <berrange@xxxxxxxxxx>
> wrote:
> 
> > On Wed, Dec 07, 2022 at 01:48:48PM +0100, Dmitry Belyavskiy wrote:
> > > The problem we expect is that after reverting the patch we can lose the
> > > remote access to the hosts because sshd will reject starting because of
> > > group reading permissions. This should be covered by the upgrade
> > scriptlet,
> > > though we still may come across some issues, especially if you use host
> > > keys in non-standard locations. How do we properly implement this feature
> > > to avoid customers' negative feedback? Current upgrade scriptlet covers
> > > standard key locations/names and works well enough at the 1st glance.
> >
> > In terms of upgrade impact the upgrade scriptlet may not be sufficient
> > to mitigate the compat risk. It is possible that there are puppet/ansible
> > recipes that will be setting file ownership/permissions on the keys,
> > which might be liable to undo the effect of any RPM upgrade scriptlet.
> >
> > > The proposed changes are available
> > > https://src.fedoraproject.org/rpms/openssh/pull-request/37
> > >
> > > A separate question is whether we want to publish this announcement as a
> > > Fedora change and at what level. For me it looks like a self-contained
> > > change.
> >
> > Publishing a Fedora change looks like a wise idea, given the upgrade
> > risk and its possible ripple effect to OS config mgmt tools like puppet
> > and ansible.
> >
> 
> Drafted here, to be published:
> https://fedoraproject.org/wiki/Changes/SSHKeySignSuidBit

I think the "Upgrade/compatibility impact" section ought to call out the
possible risk with config mgmt tools like puppet/ansible, that might be
managing SSH host keys and their permissions/ownership


With regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux