wrong key ownership and permission when using HostBasedAuthentication

[glennpj]

When using HostBasedAuthentication, the host private key must be owned by root:ssh_keys with permissions of 0640. When using the ssh::server::host_key type the group ownership and permissions are wrong on the private key, breaking HostBasedAuthentication.

[saz]

Can you provide more information?

[glennpj]

Sure; it occurs to me that this is likely disto specific. For HostbasedAuthentication, the ssh-keysign helper app is used. On my CentOS-7 system this is sgid
---x--s--x 1 root ssh_keys 461496 Apr 12 09:05 /usr/libexec/openssh/ssh-keysign

So, if using the host keys in /etc/ssh, they must be owned by group ssh_keys:
-rw-r-----. 1 root ssh_keys 227 Jan 5 14:16 /etc/ssh/ssh_host_ecdsa_key
-rw-r--r--. 1 root root 162 Jan 5 14:16 /etc/ssh/ssh_host_ecdsa_key.pub

If the distro sets ssh-keysign to suid then this would not be an issue. In fact, checking this on a CentOS-6 system, ssh-keysign is suid. So this issue is relevant for CentOS-7/RHEL-7, but perhaps others.

[saz]

As my module isn't managing ssh host keys, there is no way of fixing your issue in here.
Either create the required file resources for the broken systems yourself or use a file resource to set ssh-keysign suid

[glennpj]

I am managing the keys outside of the ssh module. Your module can manage ssh host keys, else what is puppet-ssh/manifests/server/host_key.pp for?

file {"${name}_priv":
    ensure  => $ensure,
    owner   => 'root',
    group   => 'root',
    mode    => '0600',
    path    => "${::ssh::params::sshd_dir}/${name}",
    source  => $manage_priv_key_source,
    content => $manage_priv_key_content,
    notify  => Class['ssh::server::service'],
  }

[glennpj]

Just to sum this up, using the ssh::server::host_key defined type of this module will not work with HostbasedAuthentication on CentOS-7 systems.

[saz]

You're right. I don't know why I've missed that. I'll look into this a bit more

[saz]

This should be fixed in the current master.