Hide Forgot
Description of problem: /etc/ssh/ssh_host_rsa_key and /etc/ssh/ssh_host_dsa_key have 'r' permissions for others. I can resolve this issue using manually change these 2 files permission to 600 instead of 640. Version-Release number of selected component (if applicable): # uname -r 2.6.32-160.el6.x86_64 Note: installation tree is http://download.englab.nay.redhat.com/pub/rhel/nightly/RHEL6.2-20110623.n.0/6/Server/x86_64/os (RTT test result is pass for x86_64 arch) # rpm -q openssh-clients openssh-clients-5.3p1-60.el6.x86_64 How reproducible: always Steps to Reproduce: 1. install a fresh OS based on above installation tree 2. use ssh to connect itself 3. check /var/log/messages Actual results: $ ssh -X root.xx.xx Read from socket failed: Connection reset by peer Expected results: Fix it. Additional info: # ll /etc/ssh/ssh_host_rsa_key -rw-r-----. 1 root root 1675 Jul 12 16:36 /etc/ssh/ssh_host_rsa_key # ll /etc/ssh/ssh_host_dsa_key -rw-r-----. 1 root root 668 Jul 12 16:36 /etc/ssh/ssh_host_dsa_key $ sudo tail -31 /var/log/messages Jul 13 13:50:45 localhost sshd[6579]: error: @ WARNING: UNPROTECTED PRIVATE KEY FILE! @ Jul 13 13:50:45 localhost sshd[6579]: error: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ Jul 13 13:50:45 localhost sshd[6579]: error: Permissions 0640 for '/etc/ssh/ssh_host_rsa_key' are too open. Jul 13 13:50:45 localhost sshd[6579]: error: It is recommended that your private key files are NOT accessible by others. Jul 13 13:50:45 localhost sshd[6579]: error: This private key will be ignored. Jul 13 13:50:45 localhost sshd[6579]: error: bad permissions: ignore key: /etc/ssh/ssh_host_rsa_key Jul 13 13:50:45 localhost sshd[6579]: error: Could not load host key: /etc/ssh/ssh_host_rsa_key Jul 13 13:50:45 localhost sshd[6579]: error: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ Jul 13 13:50:45 localhost sshd[6579]: error: @ WARNING: UNPROTECTED PRIVATE KEY FILE! @ Jul 13 13:50:45 localhost sshd[6579]: error: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ Jul 13 13:50:45 localhost sshd[6579]: error: Permissions 0640 for '/etc/ssh/ssh_host_dsa_key' are too open. Jul 13 13:50:45 localhost sshd[6579]: error: It is recommended that your private key files are NOT accessible by others. Jul 13 13:50:45 localhost sshd[6579]: error: This private key will be ignored. Jul 13 13:50:45 localhost sshd[6579]: error: bad permissions: ignore key: /etc/ssh/ssh_host_dsa_key Jul 13 13:50:45 localhost sshd[6579]: error: Could not load host key: /etc/ssh/ssh_host_dsa_key Jul 13 13:52:04 localhost sshd[6590]: error: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ Jul 13 13:52:04 localhost sshd[6590]: error: @ WARNING: UNPROTECTED PRIVATE KEY FILE! @ Jul 13 13:52:04 localhost sshd[6590]: error: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ Jul 13 13:52:04 localhost sshd[6590]: error: Permissions 0640 for '/etc/ssh/ssh_host_rsa_key' are too open. Jul 13 13:52:04 localhost sshd[6590]: error: It is recommended that your private key files are NOT accessible by others. Jul 13 13:52:04 localhost sshd[6590]: error: This private key will be ignored. Jul 13 13:52:04 localhost sshd[6590]: error: bad permissions: ignore key: /etc/ssh/ssh_host_rsa_key Jul 13 13:52:04 localhost sshd[6590]: error: Could not load host key: /etc/ssh/ssh_host_rsa_key Jul 13 13:52:04 localhost sshd[6590]: error: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ Jul 13 13:52:04 localhost sshd[6590]: error: @ WARNING: UNPROTECTED PRIVATE KEY FILE! @ Jul 13 13:52:04 localhost sshd[6590]: error: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ Jul 13 13:52:04 localhost sshd[6590]: error: Permissions 0640 for '/etc/ssh/ssh_host_dsa_key' are too open. Jul 13 13:52:04 localhost sshd[6590]: error: It is recommended that your private key files are NOT accessible by others. Jul 13 13:52:04 localhost sshd[6590]: error: This private key will be ignored. Jul 13 13:52:04 localhost sshd[6590]: error: bad permissions: ignore key: /etc/ssh/ssh_host_dsa_key Jul 13 13:52:04 localhost sshd[6590]: error: Could not load host key: /etc/ssh/ssh_host_dsa_key
Shouldn't this bug be filed against openssh(-server) rather than the kernel?
And FWIW, the sshs initscript from openssh-server-5.3p1-20.el6.x86_64 does: if [ ! -s $DSA_KEY ]; then echo -n $"Generating SSH2 DSA host key: " rm -f $DSA_KEY if test ! -f $DSA_KEY && $KEYGEN -q -t dsa -f $DSA_KEY -C '' -N '' >&/dev/null; then chmod 600 $DSA_KEY chmod 644 $DSA_KEY.pub if [ -x /sbin/restorecon ]; then /sbin/restorecon $DSA_KEY.pub fi success $"DSA key generation" echo else failure $"DSA key generation" echo exit 1 fi fi } and similar for RSA; it looks like it explicitly does this chmod, so why is it showing up as og+r for you I wonder?
(In reply to comment #1) > Shouldn't this bug be filed against openssh(-server) rather than the kernel? Hi Eric, Yeah, I have changed component to openssh. Thanks, Alex
(In reply to comment #2) > And FWIW, the sshs initscript from openssh-server-5.3p1-20.el6.x86_64 does: > > if [ ! -s $DSA_KEY ]; then > echo -n $"Generating SSH2 DSA host key: " > rm -f $DSA_KEY > if test ! -f $DSA_KEY && $KEYGEN -q -t dsa -f $DSA_KEY -C '' -N > '' >&/dev/null; then > chmod 600 $DSA_KEY I guess you haven't installed RHEL6.2-20110623.n.0/6/Server tree, it's okay for my rhel6.1 os, the above line is the same to you, however, for RHEL6.2-20110623.n.0 tree, my sshd initscript as follows: do_rsa1_keygen() { if [ ! -s $RSA1_KEY ]; then echo -n $"Generating SSH1 RSA host key: " rm -f $RSA1_KEY if test ! -f $RSA1_KEY && $KEYGEN -q -t rsa1 -f $RSA1_KEY -C '' -N '' >&/dev/null; then chgrp ssh_keys $RSA1_KEY chmod 640 $RSA1_KEY chmod 644 $RSA1_KEY.pub if [ -x /sbin/restorecon ]; then /sbin/restorecon $RSA1_KEY.pub fi success $"RSA1 key generation" echo else failure $"RSA1 key generation" echo exit 1 fi fi } ...... Note, mode is 640 not 600. > > and similar for RSA; it looks like it explicitly does this chmod, so why is it > showing up as og+r for you I wonder? Please see the above sshd initscript, I haven't done any modification. Thanks for your nice comment, Alex
*** This bug has been marked as a duplicate of bug 715326 ***