ssh-keygen -R changes known_hosts file permissions (mode)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
portable OpenSSH |
Unknown
|
Unknown
|
|||
openssh (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Bionic |
Fix Released
|
Undecided
|
Sergio Durigan Junior | ||
Focal |
Fix Released
|
Undecided
|
Sergio Durigan Junior | ||
Impish |
Fix Released
|
Undecided
|
Unassigned | ||
Jammy |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
[Impact]
When using "ssh-keygen -R" to remove a host from "known_hosts" the command changes permissions on the file. This can cause problems particularly when used on the global "known_hosts" file (/etc/ssh/
[Test Plan]
The problem happens on Bionic and Focal.
$ lxc launch ubuntu-daily:focal openssh-bug1966591
$ lxc shell openssh-bug1966591
# ssh-keyscan github.com > test_known_hosts
# chmod 644 test_known_hosts
# ssh-keygen -R github.com -f test_known_hosts
# stat test_known_hosts
...
Access: (0600/-rw-------) ...
...
[Where problems could occur]
The upstream patch is very simple and it is unlikely that it will cause any regressions. An indirect problem that could occur is that users might expect to see a more strict set of permissions on a "known_hosts" file after using "ssh-keygen -R", but arguably this is not defined behaviour and should not be relied upon. Of course, there is always a (very) small risk of introducing problems when rebuilding packages using newer versions of its dependencies (especially on Bionic, because it's older).
[Original Description]
When I use ssh-keygen -R to remove a host from known_hosts it changes permissions on the file. This causes problems particularly when used on the global known hosts file (/etc/ssh/
To reproduce:
$ ssh-keyscan github.com >test_known_hosts
$ chmod 741 test_known_hosts
$ ssh-keygen -R github.com -f test_known_hosts
$ stat test_known_hosts
...
Access: (0600/-rw-------) ...
Expected behavior: file permissions remain unchanged (mode 0741 in this example).
$ lsb_release -rd
Description: Ubuntu 18.04.6 LTS
Release: 18.04
$ apt-cache policy openssh-client
openssh-client:
Installed: 1:7.6p1-4ubuntu0.6
Related branches
- Athos Ribeiro (community): Approve
- Canonical Server packageset reviewers: Pending requested
-
Diff: 119 lines (+91/-0)4 files modifieddebian/changelog (+11/-0)
debian/patches/fix-connect-timeout-overflow.patch (+32/-0)
debian/patches/lp1966591-upstream-preserve-group-world-read-permission-on-kno.patch (+46/-0)
debian/patches/series (+2/-0)
- Athos Ribeiro (community): Approve
- Canonical Server packageset reviewers: Pending requested
-
Diff: 119 lines (+91/-0)4 files modifieddebian/changelog (+11/-0)
debian/patches/fix-connect-timeout-overflow.patch (+32/-0)
debian/patches/lp1966591-upstream-preserve-group-world-read-permission-on-kno.patch (+46/-0)
debian/patches/series (+2/-0)
- Canonical Server packageset reviewers: Pending requested
- Canonical Server: Pending requested
-
Diff: 294 lines (+206/-17) (has conflicts)8 files modifieddebian/changelog (+41/-0)
debian/control (+9/-0)
debian/patches/CVE-2021-28041.patch (+14/-0)
debian/patches/lp-1876320-upstream-Do-not-call-process_queued_listen_addrs-for.patch (+59/-0)
debian/patches/lp1966591-upstream-preserve-group-world-read-permission-on-kno.patch (+46/-0)
debian/patches/match-host-certs-w-public-keys.patch (+30/-0)
debian/patches/series (+7/-0)
dev/null (+0/-17)
- Canonical Server packageset reviewers: Pending requested
- Canonical Server: Pending requested
-
Diff: 1411 lines (+1309/-0) (has conflicts)13 files modifieddebian/changelog (+75/-0)
debian/control (+8/-0)
debian/patches/0001-upstream-preserve-group-world-read-permission-on-kno.patch (+46/-0)
debian/patches/CVE-2018-15473.patch (+138/-0)
debian/patches/CVE-2018-20685.patch (+29/-0)
debian/patches/CVE-2019-6109-1.patch (+253/-0)
debian/patches/CVE-2019-6109-2.patch (+106/-0)
debian/patches/CVE-2019-6111-2.patch (+348/-0)
debian/patches/CVE-2019-6111.patch (+182/-0)
debian/patches/lp-1863930-Fix-logic-bug-in-sshd_exchange_identification.patch (+31/-0)
debian/patches/lp-1863930-unbreak-clients-that-advertise-protocol.patch (+31/-0)
debian/patches/regress-2020.patch (+44/-0)
debian/patches/series (+18/-0)
description: | updated |
Thank you for taking the time to report this bug while providing a good reproducer.
I was able to reproduce in Focal and Bionic
# ssh-keyscan github.com >test_known_hosts
# ls -la test_known_hosts
-rw-r--r-- 1 root root 656 Mar 28 14:24 test_known_hosts
# ssh-keygen -R github.com -f test_known_hosts
test_known_hosts updated. hosts.old
Original contents retained as test_known_
# ls -la test_known_hosts
-rw------- 1 root root 0 Mar 28 14:25 test_known_hosts
However in Jammy and Impish this is fixed:
# ssh-keyscan github.com >test_known_hosts
# ls -la test_known_hosts
-rw-r--r-- 1 root root 656 Mar 28 14:30 test_known_hosts
# ssh-keygen -R github.com -f test_known_hosts
test_known_hosts updated. hosts.old
Original contents retained as test_known_
# ls -la test_known_hosts
-rw-r--r-- 1 root root 0 Mar 28 14:31 test_known_hosts
With this already being fixed in the newer releases it should just be a matter of finding the relevant commit and adding it to focal and bionic.
Thanks