/etc/ssh/authorized_keys.d contains keys that have been removed

Done

Details

One participant

Ludovic Courtès

Owner: unassigned

Submitted by: Ludovic Courtès

Severity: important

Ludovic Courtès wrote on 26 May 2022 17:02

Recipients:(address . bug-guix@gnu.org)

Message-ID:875ylsfic7.fsf@inria.fr

In the wake of https://issues.guix.gnu.org/55359#3, I realized that

/etc/ssh/authorized_keys.d is stateful: we copy files from the

authorized-key directory there, but files already present remain.

IOW, keys remain authorized.

Why are we copying that directory instead of making a symlink to the

directory computed by ‘authorized-key-directory’ that’s in /gnu/store?

This is explained in ‘openssh-activation’:

;; 'sshd' complains if the authorized-key directory and its parents

;; are group-writable, which rules out /gnu/store. Thus we copy the

;; authorized-key directory to /etc.

Anyway, that code does intend remove the directory before copying it,

but there’s a typo:

(delete-file-recursively "/etc/authorized_keys.d")

Can you spot it?

Ludo’.

Ludovic Courtès wrote on 26 May 2022 17:05

control message for bug #55661

Recipients:(address . control@debbugs.gnu.org)

Message-ID:87zgj4e3lp.fsf@gnu.org

tags 55661 + security

quit

Ludovic Courtès wrote on 26 May 2022 17:05

Recipients:(address . control@debbugs.gnu.org)

Message-ID:87y1yoe3lj.fsf@gnu.org

severity 55661 important

quit

Ludovic Courtès wrote on 26 May 2022 17:20

Re: bug#55661: /etc/ssh/authorized_keys.d contains keys that have been removed

Recipients:(address . 55661-done@debbugs.gnu.org)

Message-ID:87tu9ce2wt.fsf@gnu.org

Ludovic Courtès <ludo@gnu.org> skribis:

Toggle quote (5 lines)

> Anyway, that code does intend remove the directory before copying it,

> but there’s a typo:

> (delete-file-recursively "/etc/authorized_keys.d")

Fixed in 4577f3c6b60ea100e521c246fb169d6c05214b20.

Ludo'.

Closed

Your comment

This issue is archived.

To comment on this conversation send an email to 55661@debbugs.gnu.org

To respond to this issue using the mumi CLI, first switch to it

mumi current 55661

Then, you may apply the latest patchset in this issue (with sign off)

mumi am -- -s

Or, compose a reply to this issue

mumi compose

Or, send patches to this issue

mumi send-email *.patch

is:open	open issues
is:done	closed issues
submitter:<who>	search issue submitter
author:<who>	search by message author
date:yesterday..now	search by issue date
mdate:3m..2d	search by message date