[Bug 3420] New: new hostkey/principal certificates' file group name/ID is blocked by StrictModes=yes
bugzilla-daemon at mindrot.org
bugzilla-daemon at mindrot.org
Tue Apr 12 04:16:30 AEST 2022
https://bugzilla.mindrot.org/show_bug.cgi?id=3420
Bug ID: 3420
Summary: new hostkey/principal certificates' file group name/ID
is blocked by StrictModes=yes
Product: Portable OpenSSH
Version: v9.0p1
Hardware: ix86
OS: Linux
Status: NEW
Severity: normal
Priority: P5
Component: sshd
Assignee: unassigned-bugs at mindrot.org
Reporter: egberts at yahoo.com
The issue is whether 'StrictModes' is overly strict or not, and more
specifically with regard to a non-root group ID on the SSH host key
files.
When deploying a new group name ('ssh_key') with purpose of
centralizing the keys to a specific group ID, this works with v9.0p1
and has worked since v1.2.1 heydays.
But the above only works if 'StrictModes no' option is used.
I think the scenario above is stable enough to be able to enable
'StrictModes yes'.
So I propose that the UID-centric file permission logic associated with
`options.strict_modes` config variable be loosen up a bit to accomodate
the following acceptable file permission settings:
File: /etc/ssh/ssh_host_XXXX_key
Owner: read-only (+r-wx) or read-write (+rw-x)
Group: none (----) or -- > read-only (+r-wx) < -- the major change
Other: none
Notation: 0600, 0400, 0640, 0440 allowed
The new permissive settings above would apply, IF and only IF under
following ONE condition:
UID: root(0)
GID: non-root <-- the major change
And that would enable the key management software to maintain the key
files without encroaching on other SSH configuration (or
daemon-related) files.
I do believe this proposal to be equally applicable toward Principal
Certificate files as well.
My Code Review Insights:
Process: sshd
'AuthenticateMethods': hostbased
Channel type: auth (pre-channel)
Method: publickey-hostbound-v00 at openssh.com
CLI option: -o StrictModes=
Process context: main()/server
Variable: options.strict_modes
Source (read):
match_principals_file()/user_cert_trusted_ca()/user_key_allowed()/userauth_pubkey()
Source (read): auth_rhosts2()/hostbased_key_allowed()
Source (read): user_key_allowed2()
--
You are receiving this mail because:
You are watching the assignee of the bug.
More information about the openssh-bugs
mailing list