Description of problem: I updated to Fedora 21 using Fedup, and a new private key file was created with the incorrect permissions (too open): # ls -l /etc/ssh/ssh_host_ed25519_key -rw-r--r--. 1 root root 387 Nov 23 18:33 /etc/ssh/ssh_host_ed25519_key Also, the other keys have group ownership of ssh_keys: # ls -l /etc/ssh/ssh_host{_dsa,_rsa,}_key -rw-r-----. 1 root ssh_keys 668 May 25 2012 /etc/ssh/ssh_host_dsa_key -rw-r-----. 1 root ssh_keys 965 May 25 2012 /etc/ssh/ssh_host_key -rw-r-----. 1 root ssh_keys 1675 May 25 2012 /etc/ssh/ssh_host_rsa_key Version-Release number of selected component (if applicable): Name : openssh Version : 6.6.1p1 Release : 8.fc21 systemctl status sshd shows: Nov 24 05:00:03 x sshd[18303]: error: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ Nov 24 05:00:03 x sshd[18303]: error: @ WARNING: UNPROTECTED PRIVATE KEY FILE! @ Nov 24 05:00:03 x sshd[18303]: error: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ Nov 24 05:00:03 x sshd[18303]: error: Permissions 0644 for '/etc/ssh/ssh_host_ed25519_key' are too open. Nov 24 05:00:03 x sshd[18303]: error: It is required that your private key files are NOT accessible by others. Nov 24 05:00:03 x sshd[18303]: error: This private key will be ignored. Nov 24 05:00:03 x sshd[18303]: error: bad permissions: ignore key: /etc/ssh/ssh_host_ed25519_key Nov 24 05:00:03 x sshd[18303]: error: Could not load host key: /etc/ssh/ssh_host_ed25519_key
Is it possible that you had created ed25519 keys manually before? When you remove /etc/ssh/ssh_host_ed25519_key* files and regenerate files using: # systemctl start sshd-keygen.service is everything ok? Would it be possible to collect logs from update and check how were ed25519 keys created?
(In reply to Petr Lautrbach from comment #1) > Is it possible that you had created ed25519 keys manually before? I don't think so. > When you > remove /etc/ssh/ssh_host_ed25519_key* files and regenerate files using: > > # systemctl start sshd-keygen.service > > is everything ok? Yes, when doing this everything is ok. > Would it be possible to collect logs from update and check how were ed25519 > keys created? I didn't do this update in a virtual machine so unless I can get this information from existing logs, this will be difficult. In experimenting with this, however, I think maybe etckeeper is responsible for the bad permissions. I was removing/modifying the keys as requested above, and when I did "git checkout -- ." in order to reset the state, the keys went back to the incorrect perms. So its probably an etckeeper operation after install that did this.
I'm closing this bug as WORKSFORME for now. If you find out something else related to this issue and openssh, feel free to reopen it. Or if you think it's etckeeper issue, please file a new bug to the right component.