diff options
| author | Ron Gebauer <Mazorius@users.noreply.github.com> | 2023-01-25 22:40:32 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2023-01-25 15:40:32 -0600 |
| commit | 94a00492b11995dd9278605eb29ee4b096ce3a90 (patch) | |
| tree | 8558fdd2cb3ea0505f09dd84a5567706c2d33b4c | |
| parent | 7d57fcff6d32fd706dd745315c0f8f72d94385eb (diff) | |
| download | cloud-init-git-94a00492b11995dd9278605eb29ee4b096ce3a90.tar.gz | |
Fix permission of SSH host keys (#1971)
If the host-keys are provided the private key permissions have 0600
which is indeed correct. But the public key has 0600 which should
instead be 0644.
With this change the public key is always 0644 and the private key
is 0600 if provided or 640 if generated (to match sshd-keygen
functionality).
| -rw-r--r-- | cloudinit/config/cc_ssh.py | 4 | ||||
| -rw-r--r-- | tests/unittests/config/test_cc_ssh.py | 6 | ||||
| -rw-r--r-- | tools/.github-cla-signers | 1 |
3 files changed, 6 insertions, 5 deletions
diff --git a/cloudinit/config/cc_ssh.py b/cloudinit/config/cc_ssh.py index c9e59d16..c01dd48c 100644 --- a/cloudinit/config/cc_ssh.py +++ b/cloudinit/config/cc_ssh.py @@ -187,8 +187,8 @@ for k in GENERATE_KEY_NAMES: CONFIG_KEY_TO_FILE.update( { f"{k}_private": (KEY_FILE_TPL % k, 0o600), - f"{k}_public": (f"{KEY_FILE_TPL % k}.pub", 0o600), - f"{k}_certificate": (f"{KEY_FILE_TPL % k}-cert.pub", 0o600), + f"{k}_public": (f"{KEY_FILE_TPL % k}.pub", 0o644), + f"{k}_certificate": (f"{KEY_FILE_TPL % k}-cert.pub", 0o644), } ) PRIV_TO_PUB[f"{k}_private"] = f"{k}_public" diff --git a/tests/unittests/config/test_cc_ssh.py b/tests/unittests/config/test_cc_ssh.py index 8f2ca8bf..cc4032de 100644 --- a/tests/unittests/config/test_cc_ssh.py +++ b/tests/unittests/config/test_cc_ssh.py @@ -330,17 +330,17 @@ class TestHandleSsh: mock.call( "/etc/ssh/ssh_host_{}_key".format(key_type), private_value, - 384, + 0o600, ), mock.call( "/etc/ssh/ssh_host_{}_key.pub".format(key_type), public_value, - 384, + 0o644, ), mock.call( "/etc/ssh/ssh_host_{}_key-cert.pub".format(key_type), cert_value, - 384, + 0o644, ), mock.call( sshd_conf_fname, diff --git a/tools/.github-cla-signers b/tools/.github-cla-signers index 77962d87..6833aa9a 100644 --- a/tools/.github-cla-signers +++ b/tools/.github-cla-signers @@ -80,6 +80,7 @@ MarkMielke marlluslustosa matthewruffell maxnet +Mazorius megian michaelrommel mitechie |