Bug 2158230

Summary: Restore stricter SSH hostkeys permissions
Product: [Fedora] Fedora Reporter: Ben Cotton <bcotton>
Component: Changes TrackingAssignee: Dmitry Belyavskiy <dbelyavs>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 38CC: bcotton, dbelyavs
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-04-18 14:06:36 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2075059    

Description Ben Cotton 2023-01-04 18:04:32 UTC 
This is a tracking bug for Change: Restore stricter SSH hostkeys permissions
For more details, see: https://fedoraproject.org/wiki/Changes/SSHKeySignSuidBit

We want to
- drop a downstream-only patch to ssh permitting group-readable ssh host keys
- drop a ssh_keys group
- restore suid bit instead of sgid on a helper utility ssh-keysign

If you encounter a bug related to this Change, please do not comment here. Instead create a new bug and set it to block this bug.
Comment 1 Ben Cotton 2023-02-07 14:27:33 UTC 
Today we reached the Code Complete (Testable) milestone on the F38 schedule: https://fedorapeople.org/groups/schedule/f-38/f-38-key-tasks.html

At this time, all F38 Changes should be complete enough to be testable. You can indicate this by setting this tracker to the MODIFIED status. If the Change is 100% code complete, you can set the tracker to ON_QA. If you need to defer this Change to F39, please NEEDINFO me.

Changes that have not reached at least the MODIFIED status will be given to FESCo for evaluation of contingency plans.