Bug 1167402

Summary: /etc/ssh/ssh_host_ed25519_key is created with incorrect permissions
Product: [Fedora] Fedora Reporter: Raman Gupta <rocketraman>
Component: opensshAssignee: Petr Lautrbach <plautrba>
Status: CLOSED WORKSFORME QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 21CC: mattias.ellert, mgrepl, plautrba, rocketraman, tmraz
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-11-24 16:51:03 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Raman Gupta 2014-11-24 16:13:31 UTC 
Description of problem:

I updated to Fedora 21 using Fedup, and a new private key file was created with the incorrect permissions (too open):

# ls -l /etc/ssh/ssh_host_ed25519_key
-rw-r--r--. 1 root root 387 Nov 23 18:33 /etc/ssh/ssh_host_ed25519_key

Also, the other keys have group ownership of ssh_keys:

# ls -l /etc/ssh/ssh_host{_dsa,_rsa,}_key
-rw-r-----. 1 root ssh_keys  668 May 25  2012 /etc/ssh/ssh_host_dsa_key
-rw-r-----. 1 root ssh_keys  965 May 25  2012 /etc/ssh/ssh_host_key
-rw-r-----. 1 root ssh_keys 1675 May 25  2012 /etc/ssh/ssh_host_rsa_key

Version-Release number of selected component (if applicable):

Name        : openssh
Version     : 6.6.1p1
Release     : 8.fc21

systemctl status sshd shows:

Nov 24 05:00:03 x sshd[18303]: error: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Nov 24 05:00:03 x sshd[18303]: error: @         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
Nov 24 05:00:03 x sshd[18303]: error: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Nov 24 05:00:03 x sshd[18303]: error: Permissions 0644 for '/etc/ssh/ssh_host_ed25519_key' are too open.
Nov 24 05:00:03 x sshd[18303]: error: It is required that your private key files are NOT accessible by others.
Nov 24 05:00:03 x sshd[18303]: error: This private key will be ignored.
Nov 24 05:00:03 x sshd[18303]: error: bad permissions: ignore key: /etc/ssh/ssh_host_ed25519_key
Nov 24 05:00:03 x sshd[18303]: error: Could not load host key: /etc/ssh/ssh_host_ed25519_key
Comment 1 Petr Lautrbach 2014-11-24 16:25:10 UTC 
Is it possible that you had created ed25519 keys manually before? When you remove /etc/ssh/ssh_host_ed25519_key* files and regenerate files using:

# systemctl start sshd-keygen.service

is everything ok?

Would it be possible to collect logs from update and check how were ed25519 keys created?
Comment 2 Raman Gupta 2014-11-24 16:39:30 UTC 
(In reply to Petr Lautrbach from comment #1)
> Is it possible that you had created ed25519 keys manually before?

I don't think so.

> When you
> remove /etc/ssh/ssh_host_ed25519_key* files and regenerate files using:
> 
> # systemctl start sshd-keygen.service
> 
> is everything ok?

Yes, when doing this everything is ok.

> Would it be possible to collect logs from update and check how were ed25519
> keys created?

I didn't do this update in a virtual machine so unless I can get this information from existing logs, this will be difficult.

In experimenting with this, however, I think maybe etckeeper is responsible for the bad permissions. I was removing/modifying the keys as requested above, and when I did "git checkout -- ." in order to reset the state, the keys went back to the incorrect perms. So its probably an etckeeper operation after install that did this.
Comment 3 Petr Lautrbach 2014-11-24 16:51:03 UTC 
I'm closing this bug as WORKSFORME for now. If you find out something else related to this issue and openssh, feel free to reopen it. Or if you think it's etckeeper issue, please file a new bug to the right component.