Uploaded image for project: 'Modules'
  1. Modules
  2. MODULES-2635

ssh_authorized_key is usable only for keys in home dirs

    Details

    • Type: Bug
    • Status: Accepted
    • Priority: Normal
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: ssh
    • Template:
    • Team:
      Modules

      Description

      Sshd has an option AuthorizedKeysFile, which could override default authorized_keys path from ~/.ssh/authorized_keys to something else, for example "/etc/ssh/authorized_keys/%u".
      This configuration allows to have user keys in immutable maner, when only system administrator could add and remove new authorized keys to system. Keys placed in /etc/ssh/authorized_keys/%u just need to have read permission for user to login.
      Puppet now have hardcoded permission in ssh_authorized_key:

        def dir_perm
          0700
        end
       
        def file_perm
          0600
        end
      

      This settings made "target" attribute (The absolute filename in which to store the SSH key) completely unusable. More over after commit b29b1785d543a3cea961fffa9b3c15f14ab7cce0 which fixed CVE-2011-3870 directory in target attribute must be writable by key owner. So now it is no matter where to store authorized_keys with puppet - user will always have write permission to change it.

      An ability to disallow authorized_keys in user home dirs is mandatory, for example when TrustedUserCAKeys configured and used with sshd, because user could just put his authorized_key and bypass expiration of his signed certificate.

      According to commit history
      https://github.com/puppetlabs/puppet/commits/master/lib/puppet/provider/ssh_authorized_key/parsed.rb few years ago there were check for keys mode in case of "targed" attribute use, but sadly it was removed in recent versions.

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              a_n_t Anton
            • Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

              • Created:
                Updated:

                Zendesk Support