Thanks for reporting this issue here,
ssh-keygen typically creates private key files with permissions set to
644 (readable by owner and group). Which
could be too permissive for private ssh keys so changing the
permissions after creation is right thing to do your patch
looks like we need upstream too, something like below might work, if
it works please consider sending it as a patch to oe-core mailing
list.
diff --git a/meta/recipes-connectivity/openssh/openssh/sshd_check_keys
b/meta/recipes-connectivity/openssh/openssh/sshd_check_keys
index 606d1894b55..fae2bc5d16c 100644
--- a/meta/recipes-connectivity/openssh/openssh/sshd_check_keys
+++ b/meta/recipes-connectivity/openssh/openssh/sshd_check_keys
@@ -8,7 +8,7 @@ generate_key() {
mkdir -p "$DIR"
rm -f ${FILE}.tmp
ssh-keygen -q -f "${FILE}.tmp" -N '' -t $TYPE
-
+ chmod 0600 "$FILE.tmp"
# Atomically rename file public key
mv -f "${FILE}.tmp.pub" "${FILE}.pub"
On Wed, Oct 9, 2024 at 12:15 AM Jean-Michel Papy via
lists.yoctoproject.org
<jean-michel.papy=exail....@lists.yoctoproject.org> wrote:
>
> Dear Yocto Community,
> I made a small dev image, which is perfectly booting (on a Enclustra card).
> However when I tried to connect to the machine using ssh it failed
> (connection reset by peer).
> After a quick look at how the socket-based activation works and the systemd
> service dependencies,
> I connected to the machine via a serial port and performed the individual
> program calls manually.
> I noticed that the sshd service requires the sshd_check_keys shell script to
> be executed.
> This script creates host keys if they are not provided, and the private (and
> public) keys are generated
> with default permissions (644). The problem appears when the ssh program
> checks the key file permissions and finds them "too open".
> I tweaked the shell script by adding a line chmod 0600 "$FILE" just after
> the line mv "${FILE}.tmp" "$FILE" and this hack works perfectly.
> So finally, I just created a patch which adds this line.
>
> I might be wrong, but I tend to believe this should have worked without this
> workaround.
> Does somebody have an idea of what could be incorrectly set up (a variable?)
> or what should be done in the image to prevent this from happening?
> Thank you in advance
> Regards,
> JM
>
>
>
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#63993): https://lists.yoctoproject.org/g/yocto/message/63993
Mute This Topic: https://lists.yoctoproject.org/mt/108904954/21656
Mute #kirkstone:https://lists.yoctoproject.org/g/yocto/mutehashtag/kirkstone
Mute #yocto:https://lists.yoctoproject.org/g/yocto/mutehashtag/yocto
Group Owner: yocto+ow...@lists.yoctoproject.org
Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
