Package: etckeeper
Version: 0.63
Severity: critical
Tags: patch security
Justification: root security hole
Dear Maintainer,
* What led up to the situation?
I am using etckepper with git to keep track of my changes in /etc. After
reverting a commit (used commands: revert, reset, commit, checkout) system was
working properly and I had a clean repository.
After closing the SSH connection I got alerted about some log entries like this
one:
Jul 15 09:04:52 sendai sshd[564]: error:
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Jul 15 09:04:52 sendai sshd[564]: error: @ WARNING: UNPROTECTED PRIVATE
KEY FILE! @
Jul 15 09:04:52 sendai sshd[564]: error:
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Jul 15 09:04:52 sendai sshd[564]: error: Permissions 0644 for
'/etc/ssh/ssh_host_rsa_key' are too open.
Jul 15 09:04:52 sendai sshd[564]: error: It is required that your private key
files are NOT accessible by others.
Jul 15 09:04:52 sendai sshd[564]: error: This private key will be ignored.
Jul 15 09:04:52 sendai sshd[564]: error: bad permissions: ignore key:
/etc/ssh/ssh_host_rsa_key
Jul 15 09:04:52 sendai sshd[564]: error: Could not load host key:
/etc/ssh/ssh_host_rsa_key
Too late. The SSH daemon does not allow incoming connections any longer to fix
this.
etckeeper does not keep track of the permissions of /etc/ssh/ssh_host_*_key
Git automatically sets them to 644
On the one hand, SSH keys are world-readable which is a security hole and
on the other hand, SSH does as consquence not allow connections, which is
rather unpleasant on servers.
* What exactly did you do (or not do) that was effective (or
ineffective)?
* What was the outcome of this action?
Contacted hosting provider to fix the file permissions.
* What outcome did you expect instead?
etckeeper/git keeps the permissions of SSH host key files at 600 as it does
with other files.
-- System Information:
Debian Release: 7.8
APT prefers oldstable-updates
APT policy: (500, 'oldstable-updates'), (500, 'oldstable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.2.0-4-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages etckeeper depends on:
ii debconf [debconf-2.0] 1.5.49
ii git 1:1.7.10.4-1+wheezy1
Versions of packages etckeeper recommends:
ii cron 3.0pl1-124
Versions of packages etckeeper suggests:
ii sudo 1.8.5p2-1+nmu2
-- debconf information:
etckeeper/commit_failed:
etckeeper/purge: true
--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
