Re: OpenSSH: hardening hostkeys permissions

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 


On Thu, Dec 8, 2022, at 9:51 AM, Daniel P. Berrangé wrote:

> I think the "Upgrade/compatibility impact" section ought to call out the
> possible risk with config mgmt tools like puppet/ansible, that might be
> managing SSH host keys and their permissions/ownership


So that was done with:

> The problem we expect is that after implementing the change we can
> lose the remote access to the hosts because sshd will reject starting
> because of group reading permissions. This should be covered by
> upgrade script, though we still may come across some issues,
> especially if you use host keys in non-standard location.

This is an accurate statement.  However, I am sure some system administrators who end up getting surprised and affected by this and lose remote access to their systems and have to take a trip to the data center or whatever may be more emotional ;)

There's some related discussion to this in https://src.fedoraproject.org/rpms/openssh/pull-request/39# including an idea to use the MOTD as a way to warn users.

I think we at a minimum need to implement a warning *now* and push it out to Fedora stable releases before even trying to land this.

Further, I would suggest having a phase between "warn" and "your ssh keys in a nonstandard location no longer work".  The in-between phase would be something like "ssh connections in this setup are subject to a 3 second delay, and also fail 1/5 of attempts" or so.  That should make the change a lot more likely to be seen.   It won't help the admins that only use ssh rarely and somehow miss this change unfortunately.
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux