Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 720888

Summary: ssh private key files should be not accessible by others
Product: Red Hat Enterprise Linux 6 Reporter: Alex Jia <ajia>
Component: opensshAssignee: Jan F. Chadima <jchadima>
Status: CLOSED DUPLICATE QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: high Docs Contact:
Priority: high    
Version: 6.2CC: esandeen, rwu
Target Milestone: rc   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-07-14 07:32:58 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Alex Jia 2011-07-13 06:29:09 UTC 
Description of problem:
/etc/ssh/ssh_host_rsa_key and /etc/ssh/ssh_host_dsa_key have 'r' permissions for others.

I can resolve this issue using manually change these 2 files permission to 600 instead of 640.

Version-Release number of selected component (if applicable):
# uname -r
2.6.32-160.el6.x86_64

Note: installation tree is http://download.englab.nay.redhat.com/pub/rhel/nightly/RHEL6.2-20110623.n.0/6/Server/x86_64/os (RTT test result is pass for
x86_64 arch)

# rpm -q openssh-clients
openssh-clients-5.3p1-60.el6.x86_64

How reproducible:
always

Steps to Reproduce:
1. install a fresh OS based on above installation tree
2. use ssh to connect itself
3. check /var/log/messages
  
Actual results:

$ ssh -X root.xx.xx
Read from socket failed: Connection reset by peer

Expected results:
Fix it.

Additional info:

# ll /etc/ssh/ssh_host_rsa_key
-rw-r-----. 1 root root 1675 Jul 12 16:36 /etc/ssh/ssh_host_rsa_key

# ll /etc/ssh/ssh_host_dsa_key
-rw-r-----. 1 root root 668 Jul 12 16:36 /etc/ssh/ssh_host_dsa_key

$ sudo  tail -31 /var/log/messages
Jul 13 13:50:45 localhost sshd[6579]: error: @         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
Jul 13 13:50:45 localhost sshd[6579]: error: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Jul 13 13:50:45 localhost sshd[6579]: error: Permissions 0640 for '/etc/ssh/ssh_host_rsa_key' are too open.
Jul 13 13:50:45 localhost sshd[6579]: error: It is recommended that your private key files are NOT accessible by others.
Jul 13 13:50:45 localhost sshd[6579]: error: This private key will be ignored.
Jul 13 13:50:45 localhost sshd[6579]: error: bad permissions: ignore key: /etc/ssh/ssh_host_rsa_key
Jul 13 13:50:45 localhost sshd[6579]: error: Could not load host key: /etc/ssh/ssh_host_rsa_key
Jul 13 13:50:45 localhost sshd[6579]: error: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Jul 13 13:50:45 localhost sshd[6579]: error: @         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
Jul 13 13:50:45 localhost sshd[6579]: error: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Jul 13 13:50:45 localhost sshd[6579]: error: Permissions 0640 for '/etc/ssh/ssh_host_dsa_key' are too open.
Jul 13 13:50:45 localhost sshd[6579]: error: It is recommended that your private key files are NOT accessible by others.
Jul 13 13:50:45 localhost sshd[6579]: error: This private key will be ignored.
Jul 13 13:50:45 localhost sshd[6579]: error: bad permissions: ignore key: /etc/ssh/ssh_host_dsa_key
Jul 13 13:50:45 localhost sshd[6579]: error: Could not load host key: /etc/ssh/ssh_host_dsa_key
Jul 13 13:52:04 localhost sshd[6590]: error: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Jul 13 13:52:04 localhost sshd[6590]: error: @         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
Jul 13 13:52:04 localhost sshd[6590]: error: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Jul 13 13:52:04 localhost sshd[6590]: error: Permissions 0640 for '/etc/ssh/ssh_host_rsa_key' are too open.
Jul 13 13:52:04 localhost sshd[6590]: error: It is recommended that your private key files are NOT accessible by others.
Jul 13 13:52:04 localhost sshd[6590]: error: This private key will be ignored.
Jul 13 13:52:04 localhost sshd[6590]: error: bad permissions: ignore key: /etc/ssh/ssh_host_rsa_key
Jul 13 13:52:04 localhost sshd[6590]: error: Could not load host key: /etc/ssh/ssh_host_rsa_key
Jul 13 13:52:04 localhost sshd[6590]: error: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Jul 13 13:52:04 localhost sshd[6590]: error: @         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
Jul 13 13:52:04 localhost sshd[6590]: error: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Jul 13 13:52:04 localhost sshd[6590]: error: Permissions 0640 for '/etc/ssh/ssh_host_dsa_key' are too open.
Jul 13 13:52:04 localhost sshd[6590]: error: It is recommended that your private key files are NOT accessible by others.
Jul 13 13:52:04 localhost sshd[6590]: error: This private key will be ignored.
Jul 13 13:52:04 localhost sshd[6590]: error: bad permissions: ignore key: /etc/ssh/ssh_host_dsa_key
Jul 13 13:52:04 localhost sshd[6590]: error: Could not load host key: /etc/ssh/ssh_host_dsa_key
Comment 1 Eric Sandeen 2011-07-14 04:18:05 UTC 
Shouldn't this bug be filed against openssh(-server) rather than the kernel?
Comment 2 Eric Sandeen 2011-07-14 04:21:25 UTC 
And FWIW, the sshs initscript from openssh-server-5.3p1-20.el6.x86_64 does:

        if [ ! -s $DSA_KEY ]; then
                echo -n $"Generating SSH2 DSA host key: "
                rm -f $DSA_KEY
                if test ! -f $DSA_KEY && $KEYGEN -q -t dsa -f $DSA_KEY -C '' -N '' >&/dev/null; then
                        chmod 600 $DSA_KEY
                        chmod 644 $DSA_KEY.pub
                        if [ -x /sbin/restorecon ]; then
                            /sbin/restorecon $DSA_KEY.pub
                        fi
                        success $"DSA key generation"
                        echo
                else
                        failure $"DSA key generation"
                        echo
                        exit 1
                fi
        fi
}

and similar for RSA; it looks like it explicitly does this chmod, so why is it showing up as og+r for you I wonder?
Comment 3 Alex Jia 2011-07-14 06:44:34 UTC 

(In reply to comment #1)
> Shouldn't this bug be filed against openssh(-server) rather than the kernel?

Hi Eric,

Yeah, I have changed component to openssh.

Thanks,
Alex
Comment 4 Alex Jia 2011-07-14 06:57:25 UTC 
(In reply to comment #2)
> And FWIW, the sshs initscript from openssh-server-5.3p1-20.el6.x86_64 does:
> 
>         if [ ! -s $DSA_KEY ]; then
>                 echo -n $"Generating SSH2 DSA host key: "
>                 rm -f $DSA_KEY
>                 if test ! -f $DSA_KEY && $KEYGEN -q -t dsa -f $DSA_KEY -C '' -N
> '' >&/dev/null; then
>                         chmod 600 $DSA_KEY

I guess you haven't installed RHEL6.2-20110623.n.0/6/Server tree, it's okay for my rhel6.1 os, the above line is the same to you, however, for RHEL6.2-20110623.n.0 tree, my sshd initscript as follows:

do_rsa1_keygen() {
        if [ ! -s $RSA1_KEY ]; then
                echo -n $"Generating SSH1 RSA host key: "
                rm -f $RSA1_KEY
                if test ! -f $RSA1_KEY && $KEYGEN -q -t rsa1 -f $RSA1_KEY -C '' -N '' >&/dev/null; then
                        chgrp ssh_keys $RSA1_KEY
                        chmod 640 $RSA1_KEY
                        chmod 644 $RSA1_KEY.pub
                        if [ -x /sbin/restorecon ]; then
                            /sbin/restorecon $RSA1_KEY.pub
                        fi
                        success $"RSA1 key generation"
                        echo
                else
                        failure $"RSA1 key generation"
                        echo
                        exit 1
                fi
        fi
}
......

Note, mode is 640 not 600.


> 
> and similar for RSA; it looks like it explicitly does this chmod, so why is it
> showing up as og+r for you I wonder?

Please see the above sshd initscript, I haven't done any modification.

Thanks for your nice comment,
Alex
Comment 5 Jan F. Chadima 2011-07-14 07:32:58 UTC 

*** This bug has been marked as a duplicate of bug 715326 ***