[Xen-devel] [OSSTEST PATCH 39/62] preseed_base: chmod ssh host private keys to placate sshd

[Ian Jackson <ian.jackson@xxxxxxxxxxxxx>]

Otherwise:
  Could not load host key: /etc/ssh/ssh_host_ecdsa_key
  @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
  @         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
  @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
  Permissions 0640 for '/etc/ssh/ssh_host_ed25519_key' are too open.
  It is recommended that your private key files are NOT accessible by others.
  This private key will be ignored.
  key_load_private: bad permissions
  Could not load host key: /etc/ssh/ssh_host_ed25519_key

This seems to start happening with stretch.  Presumably stretch is
more annoyingly picky than jessie.

Signed-off-by: Ian Jackson <ian.jackson@xxxxxxxxxxxxx>
---
 Osstest/Debian.pm | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/Osstest/Debian.pm b/Osstest/Debian.pm
index aff5acd5..d76dd03d 100644
--- a/Osstest/Debian.pm
+++ b/Osstest/Debian.pm
@@ -871,6 +871,14 @@ END
        preseed_hook_overlay($ho, $sfx, $srcdir, $tfilename);
     });
 
+    # Host private keys in the overlays have to be group-readable
+    # at least, or no-one can use them.  But ssh is very fussy.
+    preseed_hook_command($ho, 'late_command', $sfx, <<END);
+#!/bin/sh
+set -ex
+chmod 600 /target/etc/ssh/ssh_host_*_key ||:
+END
+
     my $preseed = <<"END";
 d-i debian-installer/locale string en_GB
 d-i console-keymaps-at/keymap select gb
-- 
2.11.0


_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxxx
https://lists.xenproject.org/mailman/listinfo/xen-devel