potential sshd gotcha
Bill Davidsen
davidsen at tmr.com
Wed Jan 23 17:38:44 UTC 2013
Tom Horsley wrote:
> I spent hours at work today getting sshd to function on
> my desktop which I just switched to booting from the
> fedora 18 partition. I finally discovered this:
>
> [root at zooty ~]# ls -l /etc/ssh
> total 276
> -rw------- 1 root root 245058 Dec 3 11:43 moduli
> -rw-r--r-- 1 root root 2104 Dec 3 11:43 ssh_config
> -r--------. 1 root ssh_keys 668 Dec 5 20:35 ssh_host_dsa_key
> -rw-r--r--. 1 root root 590 Dec 5 20:35 ssh_host_dsa_key.pub
> -r--------. 1 root ssh_keys 963 Dec 5 20:35 ssh_host_key
> -rw-r--r--. 1 root root 627 Dec 5 20:35 ssh_host_key.pub
> -r--------. 1 root ssh_keys 1675 Dec 5 20:35 ssh_host_rsa_key
> -rw-r--r--. 1 root root 382 Dec 5 20:35 ssh_host_rsa_key.pub
> -rw------- 1 root root 4615 Dec 26 14:47 sshd_config
>
> The private key files now want to be group "ssh_keys".
>
> If, like me, you've been copying your /etc/ssh host key files
> from release to release in order to preserve your machine's
> ssh identity, then you may not have the group correct after
> the copy (depending on if you overwrite or replace).
>
> Without the correct group on the hostkey files, every attempt
> at an ssh connection of any kind results in a "connection
> closed" error and much confusion :-).
>
Since no one but root can get at these files anyway, it smacks of "security thru
obscurity" for sure. There's no extra access to be had, just more change for the
sake of change. The upgrade process remains to be badly broken, it seems.
The more I learn about fc18, the more I'm convinced that the whole install or
upgrade area did not get proper attention. and testing.
--
Bill Davidsen <davidsen at tmr.com>
"We have more to fear from the bungling of the incompetent than from
the machinations of the wicked." - from Slashdot
More information about the users
mailing list