[Bug 3420] New: new hostkey/principal certificates' file group name/ID is blocked by StrictModes=yes

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Tue Apr 12 04:16:30 AEST 2022 

https://bugzilla.mindrot.org/show_bug.cgi?id=3420

            Bug ID: 3420
           Summary: new hostkey/principal certificates' file group name/ID
                    is blocked by StrictModes=yes
           Product: Portable OpenSSH
           Version: v9.0p1
          Hardware: ix86
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P5
         Component: sshd
          Assignee: unassigned-bugs at mindrot.org
          Reporter: egberts at yahoo.com

The issue is whether 'StrictModes' is overly strict or not, and more
specifically with regard to a non-root group ID on the SSH host key
files.

When deploying a new group name ('ssh_key') with purpose of
centralizing the keys to a specific group ID, this works with v9.0p1
and has worked since v1.2.1 heydays.

But the above only works if 'StrictModes no' option is used.
I think the scenario above is stable enough to be able to enable
'StrictModes yes'.

So I propose that the UID-centric file permission logic associated with
`options.strict_modes` config variable be loosen up a bit to accomodate
the following acceptable file permission settings:

  File: /etc/ssh/ssh_host_XXXX_key
  Owner:  read-only (+r-wx) or read-write (+rw-x)
  Group:  none (----) or -- > read-only (+r-wx) < -- the major change
  Other:  none
  Notation:  0600, 0400, 0640, 0440 allowed

The new permissive settings above would apply, IF and only IF under
following ONE condition:

  UID:    root(0)
  GID:    non-root    <-- the major change


And that would enable the key management software to maintain the key
files without encroaching on other SSH configuration (or
daemon-related) files.

I do believe this proposal to be equally applicable toward Principal
Certificate files as well.



My Code Review Insights:
Process: sshd
'AuthenticateMethods': hostbased
Channel type: auth (pre-channel)
Method: publickey-hostbound-v00 at openssh.com
CLI option: -o StrictModes=
Process context: main()/server
Variable: options.strict_modes
Source (read):
match_principals_file()/user_cert_trusted_ca()/user_key_allowed()/userauth_pubkey()
Source (read): auth_rhosts2()/hostbased_key_allowed()
Source (read): user_key_allowed2()

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

More information about the openssh-bugs mailing list