yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #91486
[Bug 2011291] [NEW] After Cloud-Init is completed, an error is reported when the sshd service is restarted.
Public bug reported:
I tested this issue on multiple versions, I found that cloud-init 21.4
is ok, cloud-init 22.2 and 23.1 is not ok.
The following error information is displayed for the sshd service:
Mar 11 17:17:53 openEuler sshd[2232]: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Mar 11 17:17:53 openEuler sshd[2232]: @ WARNING: UNPROTECTED PRIVATE KEY FILE! @
Mar 11 17:17:53 openEuler sshd[2232]: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Mar 11 17:17:53 openEuler sshd[2232]: Permissions 0640 for '/etc/ssh/ssh_host_rsa_key' are too open.
Mar 11 17:17:53 openEuler sshd[2232]: It is required that your private key files are NOT accessible by others.
Mar 11 17:17:53 openEuler sshd[2232]: This private key will be ignored.
Mar 11 17:17:53 openEuler sshd[2232]: Unable to load host key "/etc/ssh/ssh_host_rsa_key": bad permissions
Mar 11 17:17:53 openEuler sshd[2232]: Unable to load host key: /etc/ssh/ssh_host_rsa_key
Mar 11 17:17:53 openEuler sshd[2232]: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Mar 11 17:17:53 openEuler sshd[2232]: @ WARNING: UNPROTECTED PRIVATE KEY FILE! @
Mar 11 17:17:53 openEuler sshd[2232]: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Mar 11 17:17:53 openEuler sshd[2232]: Permissions 0640 for '/etc/ssh/ssh_host_ed25519_key' are too open.
Mar 11 17:17:53 openEuler sshd[2232]: It is required that your private key files are NOT accessible by others.
Mar 11 17:17:53 openEuler sshd[2232]: This private key will be ignored.
Mar 11 17:17:53 openEuler sshd[2232]: Unable to load host key "/etc/ssh/ssh_host_ed25519_key": bad permissions
Mar 11 17:17:53 openEuler sshd[2232]: Unable to load host key: /etc/ssh/ssh_host_ed25519_key
Mar 11 17:17:53 openEuler sshd[2232]: sshd: no hostkeys available -- exiting.
At the same time, I found that the key file permission generated by the
sshd service is 0o400, But the file permission generated by cloud-init
cc_ssh is 0o644 (publibc key) and 0o640 (private key). Should cloud-init
be consistent with sshd?
[root@openEuler ~]# cd /etc/ssh/
[root@openEuler ssh]# ll ssh_host_*
-r--------. 1 root ssh_keys 480 Mar 11 15:57 ssh_host_ecdsa_key
-r--------. 1 root root 162 Mar 11 15:57 ssh_host_ecdsa_key.pub
-r--------. 1 root ssh_keys 387 Mar 11 15:57 ssh_host_ed25519_key
-r--------. 1 root root 82 Mar 11 15:57 ssh_host_ed25519_key.pub
-r--------. 1 root ssh_keys 2578 Mar 11 15:57 ssh_host_rsa_key
-r--------. 1 root root 554 Mar 11 15:57 ssh_host_rsa_key.pub
After Cloud-Init is completed:
[root@openEuler ssh]# ll ssh_host_*
-rw-r-----. 1 root ssh_keys 1381 Mar 11 17:17 ssh_host_dsa_key
-rw-r--r--. 1 root root 604 Mar 11 17:17 ssh_host_dsa_key.pub
-rw-r-----. 1 root ssh_keys 505 Mar 11 17:17 ssh_host_ecdsa_key
-rw-r--r--. 1 root root 176 Mar 11 17:17 ssh_host_ecdsa_key.pub
-rw-r-----. 1 root ssh_keys 411 Mar 11 17:17 ssh_host_ed25519_key
-rw-r--r--. 1 root root 96 Mar 11 17:17 ssh_host_ed25519_key.pub
-rw-r-----. 1 root ssh_keys 2602 Mar 11 17:17 ssh_host_rsa_key
-rw-r--r--. 1 root root 568 Mar 11 17:17 ssh_host_rsa_key.pub
** Affects: cloud-init
Importance: Undecided
Status: New
** Description changed:
I tested this issue on multiple versions, I found that cloud-init 21.4
is ok, cloud-init 22.2 and 23.1 is not ok.
The following error information is displayed for the sshd service:
Mar 11 17:17:53 openEuler sshd[2232]: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Mar 11 17:17:53 openEuler sshd[2232]: @ WARNING: UNPROTECTED PRIVATE KEY FILE! @
Mar 11 17:17:53 openEuler sshd[2232]: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Mar 11 17:17:53 openEuler sshd[2232]: Permissions 0640 for '/etc/ssh/ssh_host_rsa_key' are too open.
Mar 11 17:17:53 openEuler sshd[2232]: It is required that your private key files are NOT accessible by others.
Mar 11 17:17:53 openEuler sshd[2232]: This private key will be ignored.
Mar 11 17:17:53 openEuler sshd[2232]: Unable to load host key "/etc/ssh/ssh_host_rsa_key": bad permissions
Mar 11 17:17:53 openEuler sshd[2232]: Unable to load host key: /etc/ssh/ssh_host_rsa_key
Mar 11 17:17:53 openEuler sshd[2232]: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Mar 11 17:17:53 openEuler sshd[2232]: @ WARNING: UNPROTECTED PRIVATE KEY FILE! @
Mar 11 17:17:53 openEuler sshd[2232]: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Mar 11 17:17:53 openEuler sshd[2232]: Permissions 0640 for '/etc/ssh/ssh_host_ed25519_key' are too open.
Mar 11 17:17:53 openEuler sshd[2232]: It is required that your private key files are NOT accessible by others.
Mar 11 17:17:53 openEuler sshd[2232]: This private key will be ignored.
Mar 11 17:17:53 openEuler sshd[2232]: Unable to load host key "/etc/ssh/ssh_host_ed25519_key": bad permissions
Mar 11 17:17:53 openEuler sshd[2232]: Unable to load host key: /etc/ssh/ssh_host_ed25519_key
Mar 11 17:17:53 openEuler sshd[2232]: sshd: no hostkeys available -- exiting.
-
- At the same time, I found that the key file permission generated by the sshd service is 0o400, But the file permission generated by cloud-init cc_ssh is 0o644 (publibc key) and 0o640 (private key). Should cloud-init be consistent with sshd?
+ At the same time, I found that the key file permission generated by the
+ sshd service is 0o400, But the file permission generated by cloud-init
+ cc_ssh is 0o644 (publibc key) and 0o640 (private key). Should cloud-init
+ be consistent with sshd?
[root@openEuler ~]# cd /etc/ssh/
[root@openEuler ssh]# ll ssh_host_*
- total 564
-r--------. 1 root ssh_keys 480 Mar 11 15:57 ssh_host_ecdsa_key
-r--------. 1 root root 162 Mar 11 15:57 ssh_host_ecdsa_key.pub
-r--------. 1 root ssh_keys 387 Mar 11 15:57 ssh_host_ed25519_key
-r--------. 1 root root 82 Mar 11 15:57 ssh_host_ed25519_key.pub
-r--------. 1 root ssh_keys 2578 Mar 11 15:57 ssh_host_rsa_key
-r--------. 1 root root 554 Mar 11 15:57 ssh_host_rsa_key.pub
After Cloud-Init is completed:
[root@openEuler ssh]# ll ssh_host_*
-rw-r-----. 1 root ssh_keys 1381 Mar 11 17:17 ssh_host_dsa_key
-rw-r--r--. 1 root root 604 Mar 11 17:17 ssh_host_dsa_key.pub
-rw-r-----. 1 root ssh_keys 505 Mar 11 17:17 ssh_host_ecdsa_key
-rw-r--r--. 1 root root 176 Mar 11 17:17 ssh_host_ecdsa_key.pub
-rw-r-----. 1 root ssh_keys 411 Mar 11 17:17 ssh_host_ed25519_key
-rw-r--r--. 1 root root 96 Mar 11 17:17 ssh_host_ed25519_key.pub
-rw-r-----. 1 root ssh_keys 2602 Mar 11 17:17 ssh_host_rsa_key
-rw-r--r--. 1 root root 568 Mar 11 17:17 ssh_host_rsa_key.pub
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to cloud-init.
https://bugs.launchpad.net/bugs/2011291
Title:
After Cloud-Init is completed, an error is reported when the sshd
service is restarted.
Status in cloud-init:
New
Bug description:
I tested this issue on multiple versions, I found that cloud-init 21.4
is ok, cloud-init 22.2 and 23.1 is not ok.
The following error information is displayed for the sshd service:
Mar 11 17:17:53 openEuler sshd[2232]: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Mar 11 17:17:53 openEuler sshd[2232]: @ WARNING: UNPROTECTED PRIVATE KEY FILE! @
Mar 11 17:17:53 openEuler sshd[2232]: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Mar 11 17:17:53 openEuler sshd[2232]: Permissions 0640 for '/etc/ssh/ssh_host_rsa_key' are too open.
Mar 11 17:17:53 openEuler sshd[2232]: It is required that your private key files are NOT accessible by others.
Mar 11 17:17:53 openEuler sshd[2232]: This private key will be ignored.
Mar 11 17:17:53 openEuler sshd[2232]: Unable to load host key "/etc/ssh/ssh_host_rsa_key": bad permissions
Mar 11 17:17:53 openEuler sshd[2232]: Unable to load host key: /etc/ssh/ssh_host_rsa_key
Mar 11 17:17:53 openEuler sshd[2232]: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Mar 11 17:17:53 openEuler sshd[2232]: @ WARNING: UNPROTECTED PRIVATE KEY FILE! @
Mar 11 17:17:53 openEuler sshd[2232]: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Mar 11 17:17:53 openEuler sshd[2232]: Permissions 0640 for '/etc/ssh/ssh_host_ed25519_key' are too open.
Mar 11 17:17:53 openEuler sshd[2232]: It is required that your private key files are NOT accessible by others.
Mar 11 17:17:53 openEuler sshd[2232]: This private key will be ignored.
Mar 11 17:17:53 openEuler sshd[2232]: Unable to load host key "/etc/ssh/ssh_host_ed25519_key": bad permissions
Mar 11 17:17:53 openEuler sshd[2232]: Unable to load host key: /etc/ssh/ssh_host_ed25519_key
Mar 11 17:17:53 openEuler sshd[2232]: sshd: no hostkeys available -- exiting.
At the same time, I found that the key file permission generated by
the sshd service is 0o400, But the file permission generated by cloud-
init cc_ssh is 0o644 (publibc key) and 0o640 (private key). Should
cloud-init be consistent with sshd?
[root@openEuler ~]# cd /etc/ssh/
[root@openEuler ssh]# ll ssh_host_*
-r--------. 1 root ssh_keys 480 Mar 11 15:57 ssh_host_ecdsa_key
-r--------. 1 root root 162 Mar 11 15:57 ssh_host_ecdsa_key.pub
-r--------. 1 root ssh_keys 387 Mar 11 15:57 ssh_host_ed25519_key
-r--------. 1 root root 82 Mar 11 15:57 ssh_host_ed25519_key.pub
-r--------. 1 root ssh_keys 2578 Mar 11 15:57 ssh_host_rsa_key
-r--------. 1 root root 554 Mar 11 15:57 ssh_host_rsa_key.pub
After Cloud-Init is completed:
[root@openEuler ssh]# ll ssh_host_*
-rw-r-----. 1 root ssh_keys 1381 Mar 11 17:17 ssh_host_dsa_key
-rw-r--r--. 1 root root 604 Mar 11 17:17 ssh_host_dsa_key.pub
-rw-r-----. 1 root ssh_keys 505 Mar 11 17:17 ssh_host_ecdsa_key
-rw-r--r--. 1 root root 176 Mar 11 17:17 ssh_host_ecdsa_key.pub
-rw-r-----. 1 root ssh_keys 411 Mar 11 17:17 ssh_host_ed25519_key
-rw-r--r--. 1 root root 96 Mar 11 17:17 ssh_host_ed25519_key.pub
-rw-r-----. 1 root ssh_keys 2602 Mar 11 17:17 ssh_host_rsa_key
-rw-r--r--. 1 root root 568 Mar 11 17:17 ssh_host_rsa_key.pub
To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-init/+bug/2011291/+subscriptions
Follow ups
