[Secure-testing-team] Bug#792485: etckeeper/git sets SSH host key perms to 644

Sebastian Wagner sebix at sebix.at
Wed Jul 15 09:47:18 UTC 2015 

Package: etckeeper
Version: 0.63
Severity: critical
Tags: patch security
Justification: root security hole

Dear Maintainer,

   * What led up to the situation?
I am using etckepper with git to keep track of my changes in /etc. After reverting a commit (used commands: revert, reset, commit, checkout) system was working properly and I had a clean repository.
After closing the SSH connection I got alerted about some log entries like this one:

Jul 15 09:04:52 sendai sshd[564]: error: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Jul 15 09:04:52 sendai sshd[564]: error: @         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
Jul 15 09:04:52 sendai sshd[564]: error: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Jul 15 09:04:52 sendai sshd[564]: error: Permissions 0644 for '/etc/ssh/ssh_host_rsa_key' are too open.
Jul 15 09:04:52 sendai sshd[564]: error: It is required that your private key files are NOT accessible by others.
Jul 15 09:04:52 sendai sshd[564]: error: This private key will be ignored.
Jul 15 09:04:52 sendai sshd[564]: error: bad permissions: ignore key: /etc/ssh/ssh_host_rsa_key
Jul 15 09:04:52 sendai sshd[564]: error: Could not load host key: /etc/ssh/ssh_host_rsa_key

Too late. The SSH daemon does not allow incoming connections any longer to fix this.
etckeeper does not keep track of the permissions of /etc/ssh/ssh_host_*_key
Git automatically sets them to 644
On the one hand, SSH keys are world-readable which is a security hole and
on the other hand, SSH does as consquence not allow connections, which is rather unpleasant on servers.
   * What exactly did you do (or not do) that was effective (or
     ineffective)?
   * What was the outcome of this action?
Contacted hosting provider to fix the file permissions.
   * What outcome did you expect instead?
etckeeper/git keeps the permissions of SSH host key files at 600 as it does with other files.



-- System Information:
Debian Release: 7.8
  APT prefers oldstable-updates
  APT policy: (500, 'oldstable-updates'), (500, 'oldstable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-4-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages etckeeper depends on:
ii  debconf [debconf-2.0]  1.5.49
ii  git                    1:1.7.10.4-1+wheezy1

Versions of packages etckeeper recommends:
ii  cron  3.0pl1-124

Versions of packages etckeeper suggests:
ii  sudo  1.8.5p2-1+nmu2

-- debconf information:
  etckeeper/commit_failed:
  etckeeper/purge: true

More information about the Secure-testing-team mailing list