Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Change private key permissions to 600 #6833

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Change private key permissions to 600 #6833

wants to merge 1 commit into from

Conversation

nealep
Copy link

@nealep nealep commented Sep 21, 2020

The PR is to fix issue #6832

Some versions of OpenSSH will not load private keys with permissive permissions. Setting permission to 600 allows OpenSSH to start and load the created private keys and avoid some downstream errors during postbootscript sequences.

The modification include

  • postscripts/remoteshell - changes the permissions of private keys from 640 to 600

@nealep
Change private key permissions to 600
6bcc111 
OpenSSH will not load private keys with permissive permissions. Setting permission to 600 allows OpenSSH to start and load the created private keys.
@besawn
Copy link
Member

besawn commented Sep 29, 2020

@nealep Thank you again for the pull request. The pull requests you have opened recently have been very helpful; I think it would greatly benefit the xCAT project if you could formally join the project as a contributor. Are you interested in joining the project as a contributor by submitting a Contributor License Agreement?

@besawn besawn self-assigned this Sep 29, 2020
@nealep
Copy link
Author

nealep commented Sep 29, 2020

Sure, that'd be great! I'll have to get the CCLA put through legal, though, which will take some time.

@besawn
Copy link
Member

besawn commented Sep 29, 2020

@nealep I understand that obtaining legal approvals can be time consuming, so for these existing pull requests, the xCAT core team may create equivalent pull requests to address these issues so the changes can be included in the next release. In the long term, we do appreciate your support of the project in whatever manner is most efficient for you. If you are able and willing to pursue getting approval to submit a CLA and CCLA, we would be happy to have you become a formal xCAT contributor. If that process becomes too much of a burden, we still welcome your participation, even if we are not able to directly accept pull requests. Thanks again!

@nealep
Copy link
Author

nealep commented Sep 29, 2020

I'm going to go ahead and submit the CCLA to the legal folks. No idea what the turn around time might be so in the meantime it's probably worth the xCAT maintainers making a duplicate PR for this and xcat2/goconserver#64 then pulling in the changes that way. I'm sure you'll hear from me when the form gets signed!

@cxhong
Copy link
Contributor

cxhong commented Sep 29, 2020

I couldn't recreate issue #6832 with centos7.8 images and rhels8.2 images.
But according the man page:

/etc/ssh/ssh_host_ecdsa_key
     /etc/ssh/ssh_host_ed25519_key
     /etc/ssh/ssh_host_rsa_key
             These files contain the private parts of the host keys.  These files should only be
             owned by root, readable only by root, and not accessible to others.  Note that sshd
             does not start if these files are group/world-accessible.

we should change the permission to 600. only allow root to read/write.
I verified this PR on centos7.8/x86_64 and rhels8.2/ppc64le, didn't hit any issues. I think should be ready to merge

@cxhong cxhong mentioned this pull request Sep 30, 2020
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@besawn besawn

Labels
status:require-cla
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@nealep @besawn @cxhong