git: 617179178727 - stable/14 - nuageinit: Set recommended SSH permissions
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Tue, 03 Sep 2024 07:08:18 UTC
The branch stable/14 has been updated by bapt:
URL: https://cgit.FreeBSD.org/src/commit/?id=617179178727b61123b17e5de6e369ff5dbb8117
commit 617179178727b61123b17e5de6e369ff5dbb8117
Author: Jose Luis Duran <jlduran@gmail.com>
AuthorDate: 2024-07-23 08:59:09 +0000
Commit: Baptiste Daroussin <bapt@FreeBSD.org>
CommitDate: 2024-09-03 07:05:24 +0000
nuageinit: Set recommended SSH permissions
As stated in sshd(8), the recommended permissions for ~/.ssh are
read/write/execute for the user, and not accessible by others; and the
recommended permissions for ~/.ssh/authorized_keys are read/write for
the user, and not accessible by others.
(cherry picked from commit 07d17ca189fcf3cc44b7706040b05ca8135c3b85)
---
libexec/nuageinit/nuage.lua | 2 ++
libexec/nuageinit/tests/nuage.sh | 2 ++
2 files changed, 4 insertions(+)
diff --git a/libexec/nuageinit/nuage.lua b/libexec/nuageinit/nuage.lua
index 81fb40c0d8eb..10451dc0bdc4 100644
--- a/libexec/nuageinit/nuage.lua
+++ b/libexec/nuageinit/nuage.lua
@@ -205,9 +205,11 @@ local function addsshkey(homedir, key)
f:write(key .. "\n")
f:close()
if chownak then
+ os.execute("chmod 0600 " .. ak_path)
pu.chown(ak_path, dirattrs.uid, dirattrs.gid)
end
if chowndotssh then
+ os.execute("chmod 0700 " .. dotssh_path)
pu.chown(dotssh_path, dirattrs.uid, dirattrs.gid)
end
end
diff --git a/libexec/nuageinit/tests/nuage.sh b/libexec/nuageinit/tests/nuage.sh
index bbf306eae51f..531c171a3271 100644
--- a/libexec/nuageinit/tests/nuage.sh
+++ b/libexec/nuageinit/tests/nuage.sh
@@ -17,6 +17,8 @@ addsshkey_body() {
if [ ! -f .ssh/authorized_keys ]; then
atf_fail "ssh key not added"
fi
+ atf_check -o inline:".ssh: 040700 [drwx------ ] -> 040700 [drwx------ ]\n" chmod -vv 0700 .ssh
+ atf_check -o inline:".ssh/authorized_keys: 0100600 [-rw------- ] -> 0100600 [-rw------- ]\n" chmod -vv 0600 .ssh/authorized_keys
atf_check -o inline:"mykey\n" cat .ssh/authorized_keys
atf_check /usr/libexec/flua $(atf_get_srcdir)/addsshkey.lua
atf_check -o inline:"mykey\nmykey\n" cat .ssh/authorized_keys