potential sshd gotcha

[Bill Davidsen]

Tom Horsley wrote:
> I spent hours at work today getting sshd to function on
> my desktop which I just switched to booting from the
> fedora 18 partition. I finally discovered this:
>
> [root at zooty ~]# ls -l /etc/ssh
> total 276
> -rw-------  1 root root     245058 Dec  3 11:43 moduli
> -rw-r--r--  1 root root       2104 Dec  3 11:43 ssh_config
> -r--------. 1 root ssh_keys    668 Dec  5 20:35 ssh_host_dsa_key
> -rw-r--r--. 1 root root        590 Dec  5 20:35 ssh_host_dsa_key.pub
> -r--------. 1 root ssh_keys    963 Dec  5 20:35 ssh_host_key
> -rw-r--r--. 1 root root        627 Dec  5 20:35 ssh_host_key.pub
> -r--------. 1 root ssh_keys   1675 Dec  5 20:35 ssh_host_rsa_key
> -rw-r--r--. 1 root root        382 Dec  5 20:35 ssh_host_rsa_key.pub
> -rw-------  1 root root       4615 Dec 26 14:47 sshd_config
>
> The private key files now want to be group "ssh_keys".
>
> If, like me, you've been copying your /etc/ssh host key files
> from release to release in order to preserve your machine's
> ssh identity, then you may not have the group correct after
> the copy (depending on if you overwrite or replace).
>
> Without the correct group on the hostkey files, every attempt
> at an ssh connection of any kind results in a "connection
> closed" error and much confusion :-).
>
Since no one but root can get at these files anyway, it smacks of "security thru 
obscurity" for sure. There's no extra access to be had, just more change for the 
sake of change. The upgrade process remains to be badly broken, it seems.

The more I learn about fc18, the more I'm convinced that the whole install or 
upgrade area did not get proper attention. and testing.

-- 
Bill Davidsen <davidsen at tmr.com>
   "We have more to fear from the bungling of the incompetent than from
the machinations of the wicked."  - from Slashdot