Bug 2011309

The problem is that the key files have group root. If I change the group to ssh_keys, which is the default, the SSH service starts fine independently if the system is in FIPS mode or not.

In the OpenSSH function 'sshkey_perm_ok' I see that only the UID of the file is checked, so I'm not sure why this check is no triggered when the file is owned by root:ssh_keys

https://anongit.mindrot.org/openssh.git/tree/authfile.c#n90

~~~
int
sshkey_perm_ok(int fd, const char *filename)
{
	struct stat st;

	if (fstat(fd, &st) == -1)
		return SSH_ERR_SYSTEM_ERROR;
	/*
	 * if a key owned by the user is accessed, then we check the
	 * permissions of the file. if the key owned by a different user,
	 * then we don't care.
	 */
#ifdef HAVE_CYGWIN
	if (check_ntsec(filename))
#endif
	if ((st.st_uid == getuid()) && (st.st_mode & 077) != 0) {  <------------------------------
		error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
		error("@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @");
		error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
		error("Permissions 0%3.3o for '%s' are too open.",
		    (u_int)st.st_mode & 0777, filename);
		error("It is required that your private key files are NOT accessible by others.");
		error("This private key will be ignored.");
		return SSH_ERR_KEY_BAD_PERMISSIONS;
	}
	return 0;
}
~~~

Ok, I'm going to answer my own question. We are applying the patch openssh-6.6p1-keyperm.patch in the RPM to allow the ssh_keys group. This way the /usr/libexec/openssh/ssh-keysign helper used for host-based authentication can work. 

So the remaining question is, why the keys were created as root:root 0640?

We can reproduce this issue.
I checked the openscap-report and the following rule under Services -> SSH Server, marked as "fixed":
   Verify Permissions on SSH Server Private *_key Key Files
   To properly set the permissions of /etc/ssh/*_key, run the command:
   $ sudo chmod 0640 /etc/ssh/*_key

Once changing the /etc/ssh/*_key permissions back to be 0600, ssh works fine.

Watson,
Do you know if this is ok?

Hello, 

In https://github.com/ComplianceAsCode/content/pull/7742 the rules have been fixed and they do not change the the permission to 0640 any more, they ensure the permissions are 0600.

*** Bug 2023206 has been marked as a duplicate of this bug. ***

Verified with:
rhvm-appliance-4.5-20220412.0.el8ev
scap-security-guide-0.1.60-7.el8.noarch
ovirt-hosted-engine-ha-2.5.0-1.el8ev.noarch
ovirt-hosted-engine-setup-2.6.3-1.el8ev.noarch

Steps:
1. In a RHEL 8.6 host fully updated, deploy hosted-engine

# hosted-engine --deploy

2. Answer yes to this question:

Do you want to apply a default OpenSCAP security profile? (Yes, No) [No]: Yes

Results:
1. hosted-engine deployment succeeds when applying OpenSCAP security profile.
2. FIPS mode is enabled in engine.
3. The permissions of ssh keys in engine are 0600, sshd service is up.

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: RHV Appliance (rhvm-appliance) security update [ovirt-4.5.0]), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:4931

Due to QE capacity, we are not going to cover this issue in our automation