[Cialug] SSH Host Key Permissions

Todd Walton tdwalton at gmail.com
Fri Mar 22 13:05:33 UTC 2019


On Tue, Mar 19, 2019 at 1:37 PM Nicolai <nicolai-cialug at chocolatine.org> wrote:
> On Tue, Mar 19, 2019 at 12:38:35PM -0400, Todd Walton wrote:
> > But will that generate new host keys? I definitely don't want that.
>
> No it doesn't, read the manpage.  It does the right thing.

You're right. It doesn't overwrite existing host keys. But I'm not
entirely sure it does the right thing in all respects. I've looked at
a billion different servers and they're all over the place. ssh-keygen
has definitely always generated keys with 0600. That's consistent. But
some servers have them in the group "ssh-keys" and some don't. Some
allow me to SSH in even when permissions are 0640, most don't. And
then this... I set this script to run on startup:

#!/bin/bash
cp /etc/ssh/ssh_host_dsa_key /etc/ssh/ssh_host_dsa_key.userData.bak
cp /etc/ssh/ssh_host_rsa_key /etc/ssh/ssh_host_rsa_key.userData.bak
cp /etc/ssh/ssh_host_ecdsa_key /etc/ssh/ssh_host_ecdsa_key.userData.bak
cp /etc/ssh/ssh_host_ed25519_key /etc/ssh/ssh_host_ed25519_key.userData.bak
rm -f /etc/ssh/ssh_host_dsa_key*
rm -f /etc/ssh/ssh_host_rsa_key*
ssh-keygen -A
chmod 0400 /etc/ssh/ssh_host_dsa_key
chmod 0400 /etc/ssh/ssh_host_rsa_key
chmod 0400 /etc/ssh/ssh_host_ecdsa_key
chmod 0400 /etc/ssh/ssh_host_ed25519_key
chmod 0700 /home/*/.ssh
chmod 0400 /home/*/.ssh/authorized_keys
chown -R ec2-user /home/ec2-user/.ssh
chown -R ttwalto /home/ttwalto/.ssh

But I still can't SSH in. Here's the console output:

Starting sshd: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0640 for '/etc/ssh/ssh_host_rsa_key' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
bad permissions: ignore key: /etc/ssh/ssh_host_rsa_key
Could not load host key: /etc/ssh/ssh_host_rsa_key
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0640 for '/etc/ssh/ssh_host_dsa_key' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
bad permissions: ignore key: /etc/ssh/ssh_host_dsa_key
Could not load host key: /etc/ssh/ssh_host_dsa_key

You'd think ssh-keygen -A would have generated a key with the right
permissions, and if not that then "chmod 0400" would have done it!!!!!

Agh!!!!

--
Todd


More information about the Cialug mailing list