Thanks for the bug report Evgeny and for the initial investigation,
Lena.
The following commit "fixes" the issue:
commit f2d84f1b3fa68d77c99238d4c645d0266fae2a74
Author: d...@openbsd.org <d...@openbsd.org>
AuthorDate: Wed May 13 09:55:57 2020 +0000
Commit: Damien Miller <d...@mindrot.org>
CommitDate: Wed May 27 10:09:19 2020 +1000
I say "fixes" because it doesn't do exactly what Evgeny is asking in the
bug description; that is, it doesn't make ssh-keygen preserve *all* of
the permission bits. Instead, with the commit above applied we see that
ssh-keygen in Focal/Bionic start behaving exactly like what we see in
Impish/Jammy, and the group/all *read* permissions are preserved, but
not the (e.g.) execute permission. We can see that on the output that
Lena pasted.
Either way, preserving the "read" permission bits for group/all and
dropping everything else is done on purpose, as can be seen on this
excerpt (from ssh-keygen.c:do_known_hosts):
...
fchmod(fd, sb.st_mode & 0644);
...
I have already backported & tested the patch on Bionic, and it works. I will
start filing MPs tomorrow.
** Changed in: openssh (Ubuntu Bionic)
Assignee: (unassigned) => Sergio Durigan Junior (sergiodj)
** Changed in: openssh (Ubuntu Focal)
Assignee: (unassigned) => Sergio Durigan Junior (sergiodj)
** Changed in: openssh (Ubuntu Bionic)
Status: Confirmed => Triaged
** Changed in: openssh (Ubuntu Bionic)
Status: Triaged => In Progress
** Changed in: openssh (Ubuntu Focal)
Status: Confirmed => In Progress
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1966591
Title:
ssh-keygen -R changes known_hosts file permissions (mode)
Status in portable OpenSSH:
Unknown
Status in openssh package in Ubuntu:
Fix Released
Status in openssh source package in Bionic:
In Progress
Status in openssh source package in Focal:
In Progress
Status in openssh source package in Impish:
Fix Released
Status in openssh source package in Jammy:
Fix Released
Bug description:
When I use ssh-keygen -R to remove a host from known_hosts it changes
permissions on the file. This causes problems particularly when used
on the global known hosts file (/etc/ssh/ssh_known_hosts), because
then only root can read it. Programs running non-interactively as non-
root users suddenly fail to SSH and it's not immediately obvious why.
To reproduce:
$ ssh-keyscan github.com >test_known_hosts
$ chmod 741 test_known_hosts
$ ssh-keygen -R github.com -f test_known_hosts
$ stat test_known_hosts
...
Access: (0600/-rw-------) ...
Expected behavior: file permissions remain unchanged (mode 0741 in
this example).
$ lsb_release -rd
Description: Ubuntu 18.04.6 LTS
Release: 18.04
$ apt-cache policy openssh-client
openssh-client:
Installed: 1:7.6p1-4ubuntu0.6
To manage notifications about this bug go to:
https://bugs.launchpad.net/openssh/+bug/1966591/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
