potential sshd gotcha

Reindl Harald h.reindl at thelounge.net
Wed Jan 23 17:49:31 UTC 2013 

Am 23.01.2013 18:38, schrieb Bill Davidsen:
> Tom Horsley wrote:
>> I spent hours at work today getting sshd to function on
>> my desktop which I just switched to booting from the
>> fedora 18 partition. I finally discovered this:
>>
>> [root at zooty ~]# ls -l /etc/ssh
>> total 276
>> -rw-------  1 root root     245058 Dec  3 11:43 moduli
>> -rw-r--r--  1 root root       2104 Dec  3 11:43 ssh_config
>> -r--------. 1 root ssh_keys    668 Dec  5 20:35 ssh_host_dsa_key
>> -rw-r--r--. 1 root root        590 Dec  5 20:35 ssh_host_dsa_key.pub
>> -r--------. 1 root ssh_keys    963 Dec  5 20:35 ssh_host_key
>> -rw-r--r--. 1 root root        627 Dec  5 20:35 ssh_host_key.pub
>> -r--------. 1 root ssh_keys   1675 Dec  5 20:35 ssh_host_rsa_key
>> -rw-r--r--. 1 root root        382 Dec  5 20:35 ssh_host_rsa_key.pub
>> -rw-------  1 root root       4615 Dec 26 14:47 sshd_config
>>
>> The private key files now want to be group "ssh_keys".
>>
>> If, like me, you've been copying your /etc/ssh host key files
>> from release to release in order to preserve your machine's
>> ssh identity, then you may not have the group correct after
>> the copy (depending on if you overwrite or replace).
>>
>> Without the correct group on the hostkey files, every attempt
>> at an ssh connection of any kind results in a "connection
>> closed" error and much confusion :-).
>>
> Since no one but root can get at these files anyway, it smacks of "security thru obscurity" for sure. There's no
> extra access to be had, just more change for the sake of change. The upgrade process remains to be badly broken, it
> seems.
> 
> The more I learn about fc18, the more I'm convinced that the whole install or upgrade area did not get proper
> attention. and testing.

it is simply not generally true in case of sshd because how
would my 7 until now with yum from F17 to F18 upgraded
machines with the permissions below work?

maybe some SELinux thing!

openssh-server-6.1p1-4.fc18.x86_64

[root at rh:~]$ ls /etc/ssh/
insgesamt 304K
-rw------- 1 root root 240K 2012-12-03 17:43 moduli
-rw-r--r-- 1 root root  25K 2013-01-15 11:25 ssh_config
-rw------- 1 root root 2,0K 2012-11-16 01:43 sshd_config
-rw------- 1 root root  668 2008-05-16 00:04 ssh_host_dsa_key
-rw------- 1 root root  963 2008-05-16 00:04 ssh_host_key
-rw------- 1 root root 1,7K 2008-05-16 00:04 ssh_host_rsa_key
-rw-r--r-- 1 root root  590 2008-05-16 00:04 ssh_host_dsa_key.pub
-rw-r--r-- 1 root root  627 2008-05-16 00:04 ssh_host_key.pub
-rw-r--r-- 1 root root  382 2008-05-16 00:04 ssh_host_rsa_key.pub
-rw------- 1 root root 4,3K 2012-12-03 17:43 sshd_config.rpmnew

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 263 bytes
Desc: OpenPGP digital signature
URL: <http://lists.fedoraproject.org/pipermail/users/attachments/20130123/038143fd/attachment.sig>

More information about the users mailing list