From Fedora Project Wiki

Restore stricter SSH hostkeys permissions

Summary

We want to - drop a downstream-only patch to ssh permitting group-readable ssh host keys - drop a ssh_keys group - restore suid bit instead of sgid on a helper utility ssh-keysign

Owner


Current status

Detailed Description

Many years ago we implemented the patch https://src.fedoraproject.org/rpms/openssh/c/1ddd0ee5 Unfortunately, as it was 11 years ago, we can't find the exact explanation where did the requirement come from. We think that we intended to increase security, but it probably caused more confusion than gain of the security over the years.

The patch allows have more relaxed permissions for the private keys than upstream OpenSSH permits - 0640 instead of 0600, and the key file must belong to the ssh_keys group. The ssh_keysign utility was simultaneously changed from suid root to sgid ssh_keys.

The side effect of this solution is that ssh with hostbased auth (HBA) started to fail after changing group ID ( with newgrp, etc.). In case of HBA ssh invokes ssh-keysign that does a lot of sanity checks including groups checks. The workaround is returning setuid bit instead of sgid, and we recommend it to our clients.

Some more information is available in https://bugzilla.redhat.com/show_bug.cgi?id=1498845

As this problem affects several clients, and it is a deviation from upstream (the similar patch was rejected by upstream), we want to drop this downstream patch in Fedora. We also can get rid of a designated ssh_keys group

The proposed changes are available https://src.fedoraproject.org/rpms/openssh/pull-request/37

Feedback

Benefit to Fedora

We reduce deviation from upstream and reduce maintenance cost for customers.


Scope

  • Proposal owners:
  • Other developers: <Developers managing SSH host keys beyond the standard scenarios will be affected.
  • Release engineering: Not affected
  • Policies and guidelines: N/A (not needed for this Change)
  • Trademark approval: N/A (not needed for this Change)
  • Alignment with Objectives:

Upgrade/compatibility impact

The problem we expect is that after implementing the change we can lose the remote access to the hosts because sshd will reject starting because of group reading permissions. This should be covered by upgrade script, though we still may come across some issues, especially if you use host keys in non-standard location.

There is possible risk with config mgmt tools like puppet/ansible, that might be managing SSH host keys and their permissions/ownership.


How To Test

sshd successfully starts on the freshly installed systems and systems remain remotely accessable via SSH. sshd successfully restarts on the upgraded systems and systems remain remotely accessable via SSH.


User Experience

This change shouldn't be noticeable by users.


Dependencies

No other changes may affect this change.


Contingency Plan

  • Contingency mechanism: (What to do? Who will do it?) Revert the patch
  • Contingency deadline:
  • Blocks release?


Documentation

https://src.fedoraproject.org/rpms/openssh/pull-request/37 is a patch, and there should be a some RN item describing the change in details.

Release Notes

TBD

Retrieved from "https://fedoraproject.org/w/index.php?title=Changes/SSHKeySignSuidBit&oldid=664549"