| Summary: | RHEL 7.3 beta error: SSH private key file permissions | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Shawn Wells <swells> |
| Component: | scap-security-guide | Assignee: | Watson Yuuma Sato <wsato> |
| Status: | CLOSED ERRATA | QA Contact: | Matus Marhefka <mmarhefk> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 7.3 | CC: | mhaicman, mmarhefk, mpreisle, mthacker, openscap-maint, redhatrises |
| Target Milestone: | rc | Keywords: | FutureFeature |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | scap-security-guide-0.1.32-1.el7 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2017-08-01 12:23:38 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
|
Description
Shawn Wells
2016-08-31 20:15:42 UTC
Remediation script upstream is here: https://github.com/OpenSCAP/scap-security-guide/blob/master/shared/templates/static/bash/file_permissions_sshd_private_key.sh Shawn would expect the permissions be 0600 or 0640 to accommodate the ssh_keys group? (In reply to redhatrises from comment #3) > Remediation script upstream is here: > https://github.com/OpenSCAP/scap-security-guide/blob/master/shared/templates/ > static/bash/file_permissions_sshd_private_key.sh > > Shawn would expect the permissions be 0600 or 0640 to accommodate the > ssh_keys group? Haven't had a chance to look yet. Appears the group membership needs to be there. If that holds true, need to tip off DISA so they can update their content too. From https://bugzilla.redhat.com/show_bug.cgi?id=819896: ------------ Description of problem: The /usr/libexec/openssh/ssh-keysign is setgid, not setuid as it used to be. The group is set to ssh_keys. In the /usr/sbin/sshd-keygen script, the keys are created with the group set to ssh_keys, but the group read bit is disabled. Thus, only root can read the keys, and host-based authentication does not work. ...... ...... Steps to Reproduce: 1. Install Fedora. 2. Look at permissions on /etc/ssh/ssh_host_*key 3. Actual results: bash-4.2$ ls -l /etc/ssh/ssh_host_*key -rw------- 1 root ssh_keys 668 May 7 15:22 /etc/ssh/ssh_host_dsa_key -rw------- 1 root ssh_keys 965 May 7 15:22 /etc/ssh/ssh_host_key -rw------- 1 root ssh_keys 1679 May 7 15:22 /etc/ssh/ssh_host_rsa_key Expected results: bash-4.2$ ls -l /etc/ssh/ssh_host_*key -rw-r----- 1 root ssh_keys 668 May 7 15:22 /etc/ssh/ssh_host_dsa_key -rw-r----- 1 root ssh_keys 965 May 7 15:22 /etc/ssh/ssh_host_key -rw-r----- 1 root ssh_keys 1679 May 7 15:22 /etc/ssh/ssh_host_rsa_key ------------ Since the SSH keys get generated on first boot, this won't be able to be remediated through Anaconda.
> Haven't had a chance to look yet. Appears the group membership needs to be there. If that holds true, need to tip off DISA so they can update their content too.
IMO, we should tip off DISA and fix the content. Although, DISA might have done 0600 on purpose, and they may have not wanted to allow read access to the ssh_keys group....
Fix submitted to upstream. See https://github.com/OpenSCAP/scap-security-guide/pull/1556 Verified for version scap-security-guide-0.1.33-5.el7.noarch Verification performed using SSG Test Suite https://github.com/OpenSCAP/scap-security-guide/commits/ba02d65857f02c824e18878e238ff8a9aea657c1 OLD: scap-security-guide-0.1.30-3.el7.noarch INFO - xccdf_org.ssgproject.content_rule_file_permissions_sshd_private_key INFO - Script correct_value.pass.sh using profile xccdf_org.ssgproject.content_profile_ospp-rhel7-server ERROR - Scan has exited with return code 2, instead of expected 0 during stage initial ERROR - Rule result should have been "pass", but is "fail"! WARNING - Skipping to the next scenario INFO - Script wrong_value.fail.sh using profile xccdf_org.ssgproject.content_profile_ospp-rhel7-server ERROR - Scan has exited with return code 2, instead of expected 0 during stage remediation ERROR - Rule result should have been "fixed", but is "fail"! INFO - All snapshots reverted successfully NEW: INFO - Logging into /home/dahaic/RH/git/upstream/dahaic/scap-security-guide/tests/logs/rule_file_permissions_sshd_private_key-2017-06-21-21:36-1/test_suite.log INFO - xccdf_org.ssgproject.content_rule_file_permissions_sshd_private_key INFO - Script correct_value.pass.sh using profile xccdf_org.ssgproject.content_profile_ospp-rhel7 INFO - Script wrong_value.fail.sh using profile xccdf_org.ssgproject.content_profile_ospp-rhel7 INFO - All snapshots reverted successfully Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:2064 |