I spent hours at work today getting sshd to function on my desktop which I just switched to booting from the fedora 18 partition. I finally discovered this:
[root@zooty ~]# ls -l /etc/ssh total 276 -rw------- 1 root root 245058 Dec 3 11:43 moduli -rw-r--r-- 1 root root 2104 Dec 3 11:43 ssh_config -r--------. 1 root ssh_keys 668 Dec 5 20:35 ssh_host_dsa_key -rw-r--r--. 1 root root 590 Dec 5 20:35 ssh_host_dsa_key.pub -r--------. 1 root ssh_keys 963 Dec 5 20:35 ssh_host_key -rw-r--r--. 1 root root 627 Dec 5 20:35 ssh_host_key.pub -r--------. 1 root ssh_keys 1675 Dec 5 20:35 ssh_host_rsa_key -rw-r--r--. 1 root root 382 Dec 5 20:35 ssh_host_rsa_key.pub -rw------- 1 root root 4615 Dec 26 14:47 sshd_config
The private key files now want to be group "ssh_keys".
If, like me, you've been copying your /etc/ssh host key files from release to release in order to preserve your machine's ssh identity, then you may not have the group correct after the copy (depending on if you overwrite or replace).
Without the correct group on the hostkey files, every attempt at an ssh connection of any kind results in a "connection closed" error and much confusion :-).
On 01/22/2013 02:11 PM, Tom Horsley wrote:
I spent hours at work today getting sshd to function on my desktop which I just switched to booting from the fedora 18 partition. I finally discovered this:
[root@zooty ~]# ls -l /etc/ssh total 276 -rw------- 1 root root 245058 Dec 3 11:43 moduli -rw-r--r-- 1 root root 2104 Dec 3 11:43 ssh_config -r--------. 1 root ssh_keys 668 Dec 5 20:35 ssh_host_dsa_key -rw-r--r--. 1 root root 590 Dec 5 20:35 ssh_host_dsa_key.pub -r--------. 1 root ssh_keys 963 Dec 5 20:35 ssh_host_key -rw-r--r--. 1 root root 627 Dec 5 20:35 ssh_host_key.pub -r--------. 1 root ssh_keys 1675 Dec 5 20:35 ssh_host_rsa_key -rw-r--r--. 1 root root 382 Dec 5 20:35 ssh_host_rsa_key.pub -rw------- 1 root root 4615 Dec 26 14:47 sshd_config
The private key files now want to be group "ssh_keys".
If, like me, you've been copying your /etc/ssh host key files from release to release in order to preserve your machine's ssh identity, then you may not have the group correct after the copy (depending on if you overwrite or replace).
Without the correct group on the hostkey files, every attempt at an ssh connection of any kind results in a "connection closed" error and much confusion :-).
Thanks, very useful info!
Tom Horsley wrote:
I spent hours at work today getting sshd to function on my desktop which I just switched to booting from the fedora 18 partition. I finally discovered this:
[root@zooty ~]# ls -l /etc/ssh total 276 -rw------- 1 root root 245058 Dec 3 11:43 moduli -rw-r--r-- 1 root root 2104 Dec 3 11:43 ssh_config -r--------. 1 root ssh_keys 668 Dec 5 20:35 ssh_host_dsa_key -rw-r--r--. 1 root root 590 Dec 5 20:35 ssh_host_dsa_key.pub -r--------. 1 root ssh_keys 963 Dec 5 20:35 ssh_host_key -rw-r--r--. 1 root root 627 Dec 5 20:35 ssh_host_key.pub -r--------. 1 root ssh_keys 1675 Dec 5 20:35 ssh_host_rsa_key -rw-r--r--. 1 root root 382 Dec 5 20:35 ssh_host_rsa_key.pub -rw------- 1 root root 4615 Dec 26 14:47 sshd_config
The private key files now want to be group "ssh_keys".
If, like me, you've been copying your /etc/ssh host key files from release to release in order to preserve your machine's ssh identity, then you may not have the group correct after the copy (depending on if you overwrite or replace).
Without the correct group on the hostkey files, every attempt at an ssh connection of any kind results in a "connection closed" error and much confusion :-).
Since no one but root can get at these files anyway, it smacks of "security thru obscurity" for sure. There's no extra access to be had, just more change for the sake of change. The upgrade process remains to be badly broken, it seems.
The more I learn about fc18, the more I'm convinced that the whole install or upgrade area did not get proper attention. and testing.
Am 23.01.2013 18:38, schrieb Bill Davidsen:
Tom Horsley wrote:
I spent hours at work today getting sshd to function on my desktop which I just switched to booting from the fedora 18 partition. I finally discovered this:
[root@zooty ~]# ls -l /etc/ssh total 276 -rw------- 1 root root 245058 Dec 3 11:43 moduli -rw-r--r-- 1 root root 2104 Dec 3 11:43 ssh_config -r--------. 1 root ssh_keys 668 Dec 5 20:35 ssh_host_dsa_key -rw-r--r--. 1 root root 590 Dec 5 20:35 ssh_host_dsa_key.pub -r--------. 1 root ssh_keys 963 Dec 5 20:35 ssh_host_key -rw-r--r--. 1 root root 627 Dec 5 20:35 ssh_host_key.pub -r--------. 1 root ssh_keys 1675 Dec 5 20:35 ssh_host_rsa_key -rw-r--r--. 1 root root 382 Dec 5 20:35 ssh_host_rsa_key.pub -rw------- 1 root root 4615 Dec 26 14:47 sshd_config
The private key files now want to be group "ssh_keys".
If, like me, you've been copying your /etc/ssh host key files from release to release in order to preserve your machine's ssh identity, then you may not have the group correct after the copy (depending on if you overwrite or replace).
Without the correct group on the hostkey files, every attempt at an ssh connection of any kind results in a "connection closed" error and much confusion :-).
Since no one but root can get at these files anyway, it smacks of "security thru obscurity" for sure. There's no extra access to be had, just more change for the sake of change. The upgrade process remains to be badly broken, it seems.
The more I learn about fc18, the more I'm convinced that the whole install or upgrade area did not get proper attention. and testing.
it is simply not generally true in case of sshd because how would my 7 until now with yum from F17 to F18 upgraded machines with the permissions below work?
maybe some SELinux thing!
openssh-server-6.1p1-4.fc18.x86_64
[root@rh:~]$ ls /etc/ssh/ insgesamt 304K -rw------- 1 root root 240K 2012-12-03 17:43 moduli -rw-r--r-- 1 root root 25K 2013-01-15 11:25 ssh_config -rw------- 1 root root 2,0K 2012-11-16 01:43 sshd_config -rw------- 1 root root 668 2008-05-16 00:04 ssh_host_dsa_key -rw------- 1 root root 963 2008-05-16 00:04 ssh_host_key -rw------- 1 root root 1,7K 2008-05-16 00:04 ssh_host_rsa_key -rw-r--r-- 1 root root 590 2008-05-16 00:04 ssh_host_dsa_key.pub -rw-r--r-- 1 root root 627 2008-05-16 00:04 ssh_host_key.pub -rw-r--r-- 1 root root 382 2008-05-16 00:04 ssh_host_rsa_key.pub -rw------- 1 root root 4,3K 2012-12-03 17:43 sshd_config.rpmnew
On Tue, 2013-01-22 at 17:11 -0500, Tom Horsley wrote:
I spent hours at work today getting sshd to function on my desktop which I just switched to booting from the fedora 18 partition. I finally discovered this:
[root@zooty ~]# ls -l /etc/ssh total 276 -rw------- 1 root root 245058 Dec 3 11:43 moduli -rw-r--r-- 1 root root 2104 Dec 3 11:43 ssh_config -r--------. 1 root ssh_keys 668 Dec 5 20:35 ssh_host_dsa_key -rw-r--r--. 1 root root 590 Dec 5 20:35 ssh_host_dsa_key.pub -r--------. 1 root ssh_keys 963 Dec 5 20:35 ssh_host_key -rw-r--r--. 1 root root 627 Dec 5 20:35 ssh_host_key.pub -r--------. 1 root ssh_keys 1675 Dec 5 20:35 ssh_host_rsa_key -rw-r--r--. 1 root root 382 Dec 5 20:35 ssh_host_rsa_key.pub -rw------- 1 root root 4615 Dec 26 14:47 sshd_config
The private key files now want to be group "ssh_keys".
The same was true with Fedora 17.
John.
John Horne wrote:
The same was true with Fedora 17.
My F17 and F18 boxes do not have my keys set to group "ssh_keys" and I can log in to any of them without a problem.
# Fedora 18 box: $ ll /etc/ssh/ total 276 -rw-------. 1 root root 245058 Dec 3 10:43 moduli -rw-r--r--. 1 root root 2104 Dec 3 10:43 ssh_config -rw-------. 1 root root 4368 Dec 3 10:43 sshd_config -rw-------. 1 root root 672 Nov 19 2009 ssh_host_dsa_key -rw-r--r--. 1 root root 590 Nov 19 2009 ssh_host_dsa_key.pub -rw-------. 1 root root 963 Nov 19 2009 ssh_host_key -rw-r--r--. 1 root root 627 Nov 19 2009 ssh_host_key.pub -rw-------. 1 root root 1675 Nov 19 2009 ssh_host_rsa_key -rw-r--r--. 1 root root 382 Nov 19 2009 ssh_host_rsa_key.pub
On Thu, 24 Jan 2013 23:31:50 +0000 John Horne wrote:
The private key files now want to be group "ssh_keys".
The same was true with Fedora 17.
Maybe, but I see they are all "root root" on my fedora17 partition, and sshd worked fine there, so something wants the new group a lot more on fedora 18 :-).