-
Notifications
You must be signed in to change notification settings - Fork 739
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Replace ssh_keys group with root, where applicable and use less permissive file mode #677
Conversation
There seems to be an issue with idempotency in Fedora. This seems related to this change. |
Fedora changes the permissions from the host keys from our What do you think? |
Seems like a good idea. Reading our code, this seems also relevant for RHEL: ansible-collection-hardening/roles/ssh_hardening/tasks/crypto_hostkeys.yml Lines 11 to 12 in 9c86dae
For RHEL it should be easy to cover the different versions, but the issue with tracking Fedora versions still persists. |
I did some digging in STIG docs: So I think we should keep it as is for RHEL <9 and Fedora <38 and use the more secure |
I'm not really fond of creating a new docker-image and supporting it for every fedora release (two every year). So if anyone wants to do this for the forseeable future, then I'm fine with it. But for now I only want to support the latest release. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
seems good. Maybe we can even use 600
for all cases, since the rationale was that this is more secure.
Also we only do this when the distribution is RedHat
so all values for other OSes are of no consequence.
Yes, I'll change that.
Is there anything speaking against doing this for all OSes? |
I think this is a very good idea. And also think we should extend the task to cover all private keys, not only the |
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
In Fedora 38, the `ssh_keys` group was removed. root is used now, in accordance to upstream. See: https://www.spinics.net/lists/fedora-devel/msg307707.html See: https://src.fedoraproject.org/rpms/openssh/pull-request/37# Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
In Fedora 38, the
ssh_keys
group was removed. root is used now, in accordance to upstream.See: https://www.spinics.net/lists/fedora-devel/msg307707.html
See: https://src.fedoraproject.org/rpms/openssh/pull-request/37#