Bug 720888

Summary:	ssh private key files should be not accessible by others
Product:	Red Hat Enterprise Linux 6	Reporter:	Alex Jia <ajia>
Component:	openssh	Assignee:	Jan F. Chadima <jchadima>
Status:	CLOSED DUPLICATE	QA Contact:	BaseOS QE Security Team <qe-baseos-security>
Severity:	high	Docs Contact:
Priority:	high
Version:	6.2	CC:	esandeen, rwu
Target Milestone:	rc
Target Release:	---
Hardware:	x86_64
OS:	Linux
Whiteboard:
Fixed In Version:		Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2011-07-14 07:32:58 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:

Description Alex Jia 2011-07-13 06:29:09 UTC

Description of problem:
/etc/ssh/ssh_host_rsa_key and /etc/ssh/ssh_host_dsa_key have 'r' permissions for others.

I can resolve this issue using manually change these 2 files permission to 600 instead of 640.

Version-Release number of selected component (if applicable):
# uname -r
2.6.32-160.el6.x86_64

Note: installation tree is http://download.englab.nay.redhat.com/pub/rhel/nightly/RHEL6.2-20110623.n.0/6/Server/x86_64/os (RTT test result is pass for
x86_64 arch)

# rpm -q openssh-clients
openssh-clients-5.3p1-60.el6.x86_64

How reproducible:
always

Steps to Reproduce:
1. install a fresh OS based on above installation tree
2. use ssh to connect itself
3. check /var/log/messages
  
Actual results:

$ ssh -X root.xx.xx
Read from socket failed: Connection reset by peer

Expected results:
Fix it.

Additional info:

# ll /etc/ssh/ssh_host_rsa_key
-rw-r-----. 1 root root 1675 Jul 12 16:36 /etc/ssh/ssh_host_rsa_key

# ll /etc/ssh/ssh_host_dsa_key
-rw-r-----. 1 root root 668 Jul 12 16:36 /etc/ssh/ssh_host_dsa_key

$ sudo  tail -31 /var/log/messages
Jul 13 13:50:45 localhost sshd[6579]: error: @         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
Jul 13 13:50:45 localhost sshd[6579]: error: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Jul 13 13:50:45 localhost sshd[6579]: error: Permissions 0640 for '/etc/ssh/ssh_host_rsa_key' are too open.
Jul 13 13:50:45 localhost sshd[6579]: error: It is recommended that your private key files are NOT accessible by others.
Jul 13 13:50:45 localhost sshd[6579]: error: This private key will be ignored.
Jul 13 13:50:45 localhost sshd[6579]: error: bad permissions: ignore key: /etc/ssh/ssh_host_rsa_key
Jul 13 13:50:45 localhost sshd[6579]: error: Could not load host key: /etc/ssh/ssh_host_rsa_key
Jul 13 13:50:45 localhost sshd[6579]: error: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Jul 13 13:50:45 localhost sshd[6579]: error: @         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
Jul 13 13:50:45 localhost sshd[6579]: error: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Jul 13 13:50:45 localhost sshd[6579]: error: Permissions 0640 for '/etc/ssh/ssh_host_dsa_key' are too open.
Jul 13 13:50:45 localhost sshd[6579]: error: It is recommended that your private key files are NOT accessible by others.
Jul 13 13:50:45 localhost sshd[6579]: error: This private key will be ignored.
Jul 13 13:50:45 localhost sshd[6579]: error: bad permissions: ignore key: /etc/ssh/ssh_host_dsa_key
Jul 13 13:50:45 localhost sshd[6579]: error: Could not load host key: /etc/ssh/ssh_host_dsa_key
Jul 13 13:52:04 localhost sshd[6590]: error: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Jul 13 13:52:04 localhost sshd[6590]: error: @         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
Jul 13 13:52:04 localhost sshd[6590]: error: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Jul 13 13:52:04 localhost sshd[6590]: error: Permissions 0640 for '/etc/ssh/ssh_host_rsa_key' are too open.
Jul 13 13:52:04 localhost sshd[6590]: error: It is recommended that your private key files are NOT accessible by others.
Jul 13 13:52:04 localhost sshd[6590]: error: This private key will be ignored.
Jul 13 13:52:04 localhost sshd[6590]: error: bad permissions: ignore key: /etc/ssh/ssh_host_rsa_key
Jul 13 13:52:04 localhost sshd[6590]: error: Could not load host key: /etc/ssh/ssh_host_rsa_key
Jul 13 13:52:04 localhost sshd[6590]: error: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Jul 13 13:52:04 localhost sshd[6590]: error: @         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
Jul 13 13:52:04 localhost sshd[6590]: error: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Jul 13 13:52:04 localhost sshd[6590]: error: Permissions 0640 for '/etc/ssh/ssh_host_dsa_key' are too open.
Jul 13 13:52:04 localhost sshd[6590]: error: It is recommended that your private key files are NOT accessible by others.
Jul 13 13:52:04 localhost sshd[6590]: error: This private key will be ignored.
Jul 13 13:52:04 localhost sshd[6590]: error: bad permissions: ignore key: /etc/ssh/ssh_host_dsa_key
Jul 13 13:52:04 localhost sshd[6590]: error: Could not load host key: /etc/ssh/ssh_host_dsa_key

Comment 1 Eric Sandeen 2011-07-14 04:18:05 UTC

Shouldn't this bug be filed against openssh(-server) rather than the kernel?

Comment 2 Eric Sandeen 2011-07-14 04:21:25 UTC

And FWIW, the sshs initscript from openssh-server-5.3p1-20.el6.x86_64 does:

        if [ ! -s $DSA_KEY ]; then
                echo -n $"Generating SSH2 DSA host key: "
                rm -f $DSA_KEY
                if test ! -f $DSA_KEY && $KEYGEN -q -t dsa -f $DSA_KEY -C '' -N '' >&/dev/null; then
                        chmod 600 $DSA_KEY
                        chmod 644 $DSA_KEY.pub
                        if [ -x /sbin/restorecon ]; then
                            /sbin/restorecon $DSA_KEY.pub
                        fi
                        success $"DSA key generation"
                        echo
                else
                        failure $"DSA key generation"
                        echo
                        exit 1
                fi
        fi
}

and similar for RSA; it looks like it explicitly does this chmod, so why is it showing up as og+r for you I wonder?

Comment 3 Alex Jia 2011-07-14 06:44:34 UTC


(In reply to comment #1)
> Shouldn't this bug be filed against openssh(-server) rather than the kernel?

Hi Eric,

Yeah, I have changed component to openssh.

Thanks,
Alex

Comment 4 Alex Jia 2011-07-14 06:57:25 UTC

(In reply to comment #2)
> And FWIW, the sshs initscript from openssh-server-5.3p1-20.el6.x86_64 does:
> 
>         if [ ! -s $DSA_KEY ]; then
>                 echo -n $"Generating SSH2 DSA host key: "
>                 rm -f $DSA_KEY
>                 if test ! -f $DSA_KEY && $KEYGEN -q -t dsa -f $DSA_KEY -C '' -N
> '' >&/dev/null; then
>                         chmod 600 $DSA_KEY

I guess you haven't installed RHEL6.2-20110623.n.0/6/Server tree, it's okay for my rhel6.1 os, the above line is the same to you, however, for RHEL6.2-20110623.n.0 tree, my sshd initscript as follows:

do_rsa1_keygen() {
        if [ ! -s $RSA1_KEY ]; then
                echo -n $"Generating SSH1 RSA host key: "
                rm -f $RSA1_KEY
                if test ! -f $RSA1_KEY && $KEYGEN -q -t rsa1 -f $RSA1_KEY -C '' -N '' >&/dev/null; then
                        chgrp ssh_keys $RSA1_KEY
                        chmod 640 $RSA1_KEY
                        chmod 644 $RSA1_KEY.pub
                        if [ -x /sbin/restorecon ]; then
                            /sbin/restorecon $RSA1_KEY.pub
                        fi
                        success $"RSA1 key generation"
                        echo
                else
                        failure $"RSA1 key generation"
                        echo
                        exit 1
                fi
        fi
}
......

Note, mode is 640 not 600.


> 
> and similar for RSA; it looks like it explicitly does this chmod, so why is it
> showing up as og+r for you I wonder?

Please see the above sshd initscript, I haven't done any modification.

Thanks for your nice comment,
Alex

Comment 5 Jan F. Chadima 2011-07-14 07:32:58 UTC


*** This bug has been marked as a duplicate of bug 715326 ***