Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Replace ssh_keys group with root, where applicable and use less permissive file mode #677

Merged
merged 6 commits into from
Jun 10, 2023

Conversation

rndmh3ro
Copy link
Member

In Fedora 38, the ssh_keys group was removed. root is used now, in accordance to upstream.

See: https://www.spinics.net/lists/fedora-devel/msg307707.html
See: https://src.fedoraproject.org/rpms/openssh/pull-request/37#

@schurzi
Copy link
Contributor

schurzi commented May 26, 2023

There seems to be an issue with idempotency in Fedora. This seems related to this change.
This change makes us compatible to Fedora 38, how will we handle older Fedora releases? Can we reasonably expect users to upgrade, or should we introduce something, that at least supports all currently meintained Fedora releases? According to https://endoflife.date/fedora there is still Fedora 37 for 6 months.

@rndmh3ro
Copy link
Member Author

Fedora changes the permissions from the host keys from our 640 to 600 after restarting sshd. I think that's good. So we should probably change our hardening default to 600, which makes it more secure.

What do you think?

@schurzi
Copy link
Contributor

schurzi commented May 26, 2023

What do you think?

Seems like a good idea. Reading our code, this seems also relevant for RHEL:

# In RHEL and Fedora, the 'ssh_keys' group is the group owner of the host private SSH keys.
# Since the openssh_keypair module needs to read the key to provide idempotency, we need to set ownership and group based on specific OS vars.

For RHEL it should be easy to cover the different versions, but the issue with tracking Fedora versions still persists.

@schurzi
Copy link
Contributor

schurzi commented May 26, 2023

I did some digging in STIG docs:
It seems the root group is also supported with RHEL9:
https://www.stigviewer.com/stig/red_hat_enterprise_linux_8/2022-12-06/finding/V-230287
https://static.open-scap.org/ssg-guides/ssg-rhel9-guide-stig_gui.html#xccdf_org.ssgproject.content_rule_file_permissions_sshd_private_key

So I think we should keep it as is for RHEL <9 and Fedora <38 and use the more secure root:root and 600 set for all newer releases. Setting this as a default for the OS and overriding it in the more specific vars for older releases should cover this.

@rndmh3ro
Copy link
Member Author

For RHEL it should be easy to cover the different versions, but the issue with tracking Fedora versions still persists.

I'm not really fond of creating a new docker-image and supporting it for every fedora release (two every year). So if anyone wants to do this for the forseeable future, then I'm fine with it. But for now I only want to support the latest release.

Copy link
Contributor

@schurzi schurzi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

seems good. Maybe we can even use 600 for all cases, since the rationale was that this is more secure.
Also we only do this when the distribution is RedHat so all values for other OSes are of no consequence.

@rndmh3ro
Copy link
Member Author

rndmh3ro commented Jun 2, 2023

Maybe we can even use 600 for all cases, since the rationale was that this is more secure.

Yes, I'll change that.

Also we only do this when the distribution is RedHat so all values for other OSes are of no consequence.

Is there anything speaking against doing this for all OSes?

@schurzi
Copy link
Contributor

schurzi commented Jun 4, 2023

Is there anything speaking against doing this for all OSes?

I think this is a very good idea. And also think we should extend the task to cover all private keys, not only the ssh_host_rsa_key. Maybe switch the order of tasks, so we have a fact for all available host keys.

@dlouzan

This comment was marked as off-topic.

@rndmh3ro

This comment was marked as off-topic.

@schurzi

This comment was marked as off-topic.

@dlouzan

This comment was marked as off-topic.

@rndmh3ro

This comment was marked as off-topic.

@dlouzan

This comment was marked as off-topic.

@dlouzan

This comment was marked as off-topic.

Sebastian Gumprich added 5 commits June 9, 2023 12:52
In Fedora 38, the `ssh_keys` group was removed. root is used now, in accordance to upstream.

See: https://www.spinics.net/lists/fedora-devel/msg307707.html
See: https://src.fedoraproject.org/rpms/openssh/pull-request/37#

Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
@rndmh3ro rndmh3ro merged commit f56d80b into master Jun 10, 2023
@rndmh3ro rndmh3ro deleted the ssh_keys_group branch June 10, 2023 06:04
@schurzi schurzi changed the title Replace ssh_keys group in Fedora with root Replace ssh_keys group with root, where applicable and use less permissive file mode Jun 10, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants