RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 2002850 - The CIS profile sets /etc/ssh/*key to 640 which prevents sshd from starting
Summary: The CIS profile sets /etc/ssh/*key to 640 which prevents sshd from starting
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: scap-security-guide
Version: 8.4
Hardware: All
OS: Linux
unspecified
urgent
Target Milestone: rc
: ---
Assignee: Vojtech Polasek
QA Contact: Milan Lysonek
Khushbu Borole
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-09-09 20:23 UTC by jcastran
Modified: 2022-12-12 21:14 UTC (History)
7 users (show)

Fixed In Version: scap-security-guide-0.1.59-1.el8
Doc Type: Bug Fix
Doc Text:
.CIS profile no longer blocks the SSH service Previously, the `xccdf_org.ssgproject.content_rule_file_permissions_sshd_private_key` rule by default set the permissions to `640` on SSH private keys. As a consequence, the SSH daemon did not start. This update removes the `file_permissions_sshd_private_key` rule from the CIS profile and as a result, the SSH service works correctly.
Clone Of:
Environment:
Last Closed: 2022-05-10 14:14:34 UTC
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker RHELPLAN-96707 0 None None None 2021-09-09 20:24:16 UTC
Red Hat Product Errata RHBA-2022:1900 0 None None None 2022-05-10 14:14:44 UTC

Description jcastran 2021-09-09 20:23:56 UTC 
Description of problem:
This rule:
<xccdf-1.2:fix id="file_permissions_sshd_private_key" system="urn:xccdf:fix:script:puppet">include ssh_private_key_perms

Sets the permissions to 640 for /etc/ssh/*key

class ssh_private_key_perms {
  exec { 'sshd_priv_key':
    command =&gt; "chmod 0640 /etc/ssh/*_key",
    path    =&gt; '/bin:/usr/bin'
  }

Which then stops sshd from running because sshd does not want any permission on Group or Other.

Version-Release number of selected component (if applicable):
scap-security-guide-0.1.54-5.el8.noarch

How reproducible:
Everytime

Steps to Reproduce:
1. Apply the CIS profile
2. systemctl restart sshd

Actual results:
# systemctl restart sshd
  Job for sshd.service failed because the control process exited with error code.
  See "systemctl status sshd.service" and "journalctl -xe" for details.

# journalctl -xe
  -- Unit sshd.service has begun starting up.
  Sep 09 13:56:44 r8 sshd[747733]: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
  Sep 09 13:56:44 r8 sshd[747733]: @         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
  Sep 09 13:56:44 r8 sshd[747733]: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
  Sep 09 13:56:44 r8 sshd[747733]: Permissions 0640 for '/etc/ssh/ssh_host_rsa_key' are too open.
  Sep 09 13:56:44 r8 sshd[747733]: It is required that your private key files are NOT accessible by others.
  Sep 09 13:56:44 r8 sshd[747733]: This private key will be ignored.
  Sep 09 13:56:44 r8 sshd[747733]: Unable to load host key "/etc/ssh/ssh_host_rsa_key": bad permissions
  Sep 09 13:56:44 r8 sshd[747733]: Unable to load host key: /etc/ssh/ssh_host_rsa_key

Expected results:
The profile should not change the keys to 640. There appears to be caveats for other os's

template:
    name: file_permissions
    vars:
        filepath: /etc/ssh/
        missing_file_pass: 'true'
        file_regex: ^.*_key$
        filemode: '0640'
        filemode@sle12: '0600'
        filemode@sle15: '0600'
        filemode@ubuntu1604: '0600'
        filemode@ubuntu1804: '0600'
        filemode@ubuntu2004: '0600'

The default should be 600 instead of fixing this per os since the default is not a valid permission for sshd.

Additional info:
https://github.com/ComplianceAsCode/content/blob/086d4e74bb750c6e03958670fb2dcab4a8c2b582/linux_os/guide/services/ssh/file_permissions_sshd_private_key/rule.yml#L57

https://github.com/openssh/openssh-portable/blob/2dc328023f60212cd29504fc05d849133ae47355/authfile.c#L104
Comment 1 Gabriel Gaspar Becker 2021-09-13 16:12:45 UTC 
This rule is incorrectly being used by the CIS profile provided in scap-security-guide package. The RHEL8 CIS benchmark reference number 5.2.3 states that the permissions should be 0600 and also owner and group owner should be root:root.

This rule only works when the group owner of /etc/ssh/*_key files is set to ssh_keys which is the default for a clean RHEL installation. But there are some cases where regenerated keys are created with root group owner and the rule file_permissions_sshd_private_key is not aware of it. Later versions of this content unselect this rule from the CIS profile because it's not aligned. A new rule is probably going to be created to fully fulfill the CIS requirement.

DISA STIG states that the permissions should be 0640 for these files, hence the conflict and need for a new rule.
Comment 3 Vojtech Polasek 2021-09-14 08:52:52 UTC 
This has been fixed upstream by removing the problematic rule from the profile:
https://github.com/ComplianceAsCode/content/pull/6976
We need a new rule which will work properly.
Comment 4 Watson Yuuma Sato 2021-10-19 11:49:54 UTC 
I believe this patch addresses the bug: https://github.com/ComplianceAsCode/content/pull/7742
Comment 18 errata-xmlrpc 2022-05-10 14:14:34 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (scap-security-guide bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:1900
Note You need to log in before you can comment on or make changes to this bug.