From: Khem Raj <raj.khem@gmail.com>
Date: Fri, 11 Oct 2024 19:42:51 +0000 (-0700)
Subject: openssh: Be more restrictive on private key file permissions
X-Git-Tag: yocto-5.2~1599
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=5c9f456cc39ca25123249ecb32b311736bd4e1f8;p=thirdparty%2Fopenembedded%2Fopenembedded-core-contrib.git

openssh: Be more restrictive on private key file permissions

Sometimes default permissions on filesystems can be more permissive
e.g. 0644, this can make the private key file created here to inherit
those permissions and these permissions can then cause ssh server to
not allow ssh connections due to non-secure permissions on file.

Reported-by: Jean-Michel Papy <jean-michel.papy@exail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Cc: Jörg Sommer <joerg.sommer@navimatix.de>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
---

diff --git a/meta/recipes-connectivity/openssh/openssh/sshd_check_keys b/meta/recipes-connectivity/openssh/openssh/sshd_check_keys
index 606d1894b55..bbb6a149088 100644
--- a/meta/recipes-connectivity/openssh/openssh/sshd_check_keys
+++ b/meta/recipes-connectivity/openssh/openssh/sshd_check_keys
@@ -8,7 +8,7 @@ generate_key() {
     mkdir -p "$DIR"
     rm -f ${FILE}.tmp
     ssh-keygen -q -f "${FILE}.tmp" -N '' -t $TYPE
-
+    chmod go-rwx "$FILE.tmp"
     # Atomically rename file public key
     mv -f "${FILE}.tmp.pub" "${FILE}.pub"