[Cialug] SSH Host Key Permissions

Jarrod Igou jarrod.igou at gmail.com
Tue Mar 19 13:35:53 UTC 2019


Ouch. How many servers are you talking?

The painful but straightforward way to get in is to spin up a rescue
instance and one by one shut down a server, attach the root EBS volume to
that rescue instance, mount up, change permissions, and put back.

You could check with AWS support. I've seen them fix similar boo-boos on a
bunch of RDS instances, but with those there's NO way to
detach/reattach/rescue. Don't know that they'd be as willing to help out in
this type of situation.

Jarrod


On Tue, Mar 19, 2019, 9:11 AM Todd Walton <tdwalton at gmail.com> wrote:

> OpenSSH insists that you have certain files set with the right
> permissions. You can find gads out there about your home directory's
> ".ssh" directory and the permissions it and its contents should have.
> But there are also certain permissions that it wants you to have
> (insists that you have) on the host keys found in /etc/ssh/.
> Apparently 0640 is not acceptable, even though that's what I find on
> various servers, and that's what works for this guy:
> https://bugzilla.redhat.com/show_bug.cgi?id=1167402 . He's using
> Fedora. I'm running CentOS. On my local RHEL workstation, here's what
> I find at this very moment:
>
> todd $ ls -l /etc/ssh/ssh_host*key
> -rw-r-----. 1 root ssh_keys  227 Jan 29 20:22 /etc/ssh/ssh_host_ecdsa_key
> -rw-r-----. 1 root ssh_keys  387 Jan 29 20:22 /etc/ssh/ssh_host_ed25519_key
> -rw-r-----. 1 root ssh_keys 1679 Jan 29 20:22 /etc/ssh/ssh_host_rsa_key
>
> I didn't generate those. I haven't touched them. So, that must be
> official, right? I can SSH to my workstation, so 0640 on the host keys
> must be okay. So I was generating ed25519 host keys yesterday by
> running this on a number of servers:
>
> if ! test -f /etc/ssh/ssh_host_ed25519_key; then ssh-keygen -f
> /etc/ssh/ssh_host_ed25519_key -t ed25519; fi
>
> And then, because I found such a mix of permissions on the host keys, I
> did:
>
> chmod 0640 /etc/ssh/ssh_host_*_key
>
> You know... without testing one server first... because it's pretty
> clear that 0640 is acceptable! It's not acceptable. I'm locked out
> now. I try to SSH and the connection immediately is dropped by the
> remote side, the side that now has 0640 on its host keys. I restarted
> one of those servers and looked at the console output: "WARNING:
> UNPROTECTED PRIVATE KEY FILE Permissions 0640 for
> '/etc/ssh/ssh_host_rsa_key' are too open.". Too open my backside ya
> damn... but I digress.
>
> These are AWS EC2 instances. There is no interactive console possible.
> Le sigh.....
>
> Gotta figure out how I'm gonna fix this.
>
> --
> Todd
> _______________________________________________
> Cialug mailing list
> Cialug at cialug.org
> https://www.cialug.org/cgi-bin/mailman/listinfo/cialug
>


More information about the Cialug mailing list