[Cialug] SSH Host Key Permissions

Todd Walton tdwalton at gmail.com
Tue Mar 19 13:10:50 UTC 2019


OpenSSH insists that you have certain files set with the right
permissions. You can find gads out there about your home directory's
".ssh" directory and the permissions it and its contents should have.
But there are also certain permissions that it wants you to have
(insists that you have) on the host keys found in /etc/ssh/.
Apparently 0640 is not acceptable, even though that's what I find on
various servers, and that's what works for this guy:
https://bugzilla.redhat.com/show_bug.cgi?id=1167402 . He's using
Fedora. I'm running CentOS. On my local RHEL workstation, here's what
I find at this very moment:

todd $ ls -l /etc/ssh/ssh_host*key
-rw-r-----. 1 root ssh_keys  227 Jan 29 20:22 /etc/ssh/ssh_host_ecdsa_key
-rw-r-----. 1 root ssh_keys  387 Jan 29 20:22 /etc/ssh/ssh_host_ed25519_key
-rw-r-----. 1 root ssh_keys 1679 Jan 29 20:22 /etc/ssh/ssh_host_rsa_key

I didn't generate those. I haven't touched them. So, that must be
official, right? I can SSH to my workstation, so 0640 on the host keys
must be okay. So I was generating ed25519 host keys yesterday by
running this on a number of servers:

if ! test -f /etc/ssh/ssh_host_ed25519_key; then ssh-keygen -f
/etc/ssh/ssh_host_ed25519_key -t ed25519; fi

And then, because I found such a mix of permissions on the host keys, I did:

chmod 0640 /etc/ssh/ssh_host_*_key

You know... without testing one server first... because it's pretty
clear that 0640 is acceptable! It's not acceptable. I'm locked out
now. I try to SSH and the connection immediately is dropped by the
remote side, the side that now has 0640 on its host keys. I restarted
one of those servers and looked at the console output: "WARNING:
UNPROTECTED PRIVATE KEY FILE Permissions 0640 for
'/etc/ssh/ssh_host_rsa_key' are too open.". Too open my backside ya
damn... but I digress.

These are AWS EC2 instances. There is no interactive console possible.
Le sigh.....

Gotta figure out how I'm gonna fix this.

--
Todd


More information about the Cialug mailing list