diff options
author | sxt1001 <shixuantong1@huawei.com> | 2023-04-03 01:30:36 +0800 |
---|---|---|
committer | GitHub <noreply@github.com> | 2023-04-02 12:30:36 -0500 |
commit | 09a64badfb3f51b1b391fa29be19962381a4bbeb (patch) | |
tree | a9ac46f499fbee1de056e08624239d0238306434 /cloudinit/config | |
parent | 612b4de892d19333c33276d541fed99fd16d3998 (diff) | |
download | cloud-init-git-09a64badfb3f51b1b391fa29be19962381a4bbeb.tar.gz |
Fix private key permissions when openssh not earlier than 9.0 #2072
Cloud-init's host key generation mimics that of sshd-keygen.
It used to generate 640 permissions, but going forward it
should be 600. Check sshd version to set the permissions
appropriately.
LP: #2011291
Diffstat (limited to 'cloudinit/config')
-rw-r--r-- | cloudinit/config/cc_ssh.py | 8 |
1 files changed, 6 insertions, 2 deletions
diff --git a/cloudinit/config/cc_ssh.py b/cloudinit/config/cc_ssh.py index 57129776..7c9ae36b 100644 --- a/cloudinit/config/cc_ssh.py +++ b/cloudinit/config/cc_ssh.py @@ -279,9 +279,13 @@ def handle(name: str, cfg: Config, cloud: Cloud, args: list) -> None: gid = util.get_group_id("ssh_keys") if gid != -1: # perform same "sanitize permissions" as sshd-keygen + permissions_private = 0o600 + ssh_version = ssh_util.get_opensshd_upstream_version() + if ssh_version and ssh_version < util.Version(9, 0): + permissions_private = 0o640 os.chown(keyfile, -1, gid) - os.chmod(keyfile, 0o640) - os.chmod(keyfile + ".pub", 0o644) + os.chmod(keyfile, permissions_private) + os.chmod(f"{keyfile}.pub", 0o644) except subp.ProcessExecutionError as e: err = util.decode_binary(e.stderr).lower() if e.exit_code == 1 and err.lower().startswith( |