potential sshd gotcha
Reindl Harald
h.reindl at thelounge.net
Wed Jan 23 17:49:31 UTC 2013
Am 23.01.2013 18:38, schrieb Bill Davidsen:
> Tom Horsley wrote:
>> I spent hours at work today getting sshd to function on
>> my desktop which I just switched to booting from the
>> fedora 18 partition. I finally discovered this:
>>
>> [root at zooty ~]# ls -l /etc/ssh
>> total 276
>> -rw------- 1 root root 245058 Dec 3 11:43 moduli
>> -rw-r--r-- 1 root root 2104 Dec 3 11:43 ssh_config
>> -r--------. 1 root ssh_keys 668 Dec 5 20:35 ssh_host_dsa_key
>> -rw-r--r--. 1 root root 590 Dec 5 20:35 ssh_host_dsa_key.pub
>> -r--------. 1 root ssh_keys 963 Dec 5 20:35 ssh_host_key
>> -rw-r--r--. 1 root root 627 Dec 5 20:35 ssh_host_key.pub
>> -r--------. 1 root ssh_keys 1675 Dec 5 20:35 ssh_host_rsa_key
>> -rw-r--r--. 1 root root 382 Dec 5 20:35 ssh_host_rsa_key.pub
>> -rw------- 1 root root 4615 Dec 26 14:47 sshd_config
>>
>> The private key files now want to be group "ssh_keys".
>>
>> If, like me, you've been copying your /etc/ssh host key files
>> from release to release in order to preserve your machine's
>> ssh identity, then you may not have the group correct after
>> the copy (depending on if you overwrite or replace).
>>
>> Without the correct group on the hostkey files, every attempt
>> at an ssh connection of any kind results in a "connection
>> closed" error and much confusion :-).
>>
> Since no one but root can get at these files anyway, it smacks of "security thru obscurity" for sure. There's no
> extra access to be had, just more change for the sake of change. The upgrade process remains to be badly broken, it
> seems.
>
> The more I learn about fc18, the more I'm convinced that the whole install or upgrade area did not get proper
> attention. and testing.
it is simply not generally true in case of sshd because how
would my 7 until now with yum from F17 to F18 upgraded
machines with the permissions below work?
maybe some SELinux thing!
openssh-server-6.1p1-4.fc18.x86_64
[root at rh:~]$ ls /etc/ssh/
insgesamt 304K
-rw------- 1 root root 240K 2012-12-03 17:43 moduli
-rw-r--r-- 1 root root 25K 2013-01-15 11:25 ssh_config
-rw------- 1 root root 2,0K 2012-11-16 01:43 sshd_config
-rw------- 1 root root 668 2008-05-16 00:04 ssh_host_dsa_key
-rw------- 1 root root 963 2008-05-16 00:04 ssh_host_key
-rw------- 1 root root 1,7K 2008-05-16 00:04 ssh_host_rsa_key
-rw-r--r-- 1 root root 590 2008-05-16 00:04 ssh_host_dsa_key.pub
-rw-r--r-- 1 root root 627 2008-05-16 00:04 ssh_host_key.pub
-rw-r--r-- 1 root root 382 2008-05-16 00:04 ssh_host_rsa_key.pub
-rw------- 1 root root 4,3K 2012-12-03 17:43 sshd_config.rpmnew
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 263 bytes
Desc: OpenPGP digital signature
URL: <http://lists.fedoraproject.org/pipermail/users/attachments/20130123/038143fd/attachment.sig>
More information about the users
mailing list