ssh permissions

[hugovsky]

New bug? This was after an upgrade to lastest beta (FreeNAS-9.3-BETA-1416270131-1):

Code:

Nov 18 17:00:01 nas sshd[7355]: error: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Nov 18 17:00:01 nas sshd[7355]: error: @         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
Nov 18 17:00:01 nas sshd[7355]: error: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Nov 18 17:00:01 nas sshd[7355]: error: Permissions 0644 for '/etc/ssh/ssh_host_ed25519_key' are too open.
Nov 18 17:00:01 nas sshd[7355]: error: It is required that your private key files are NOT accessible by others.
Nov 18 17:00:01 nas sshd[7355]: error: This private key will be ignored.
Nov 18 17:00:01 nas sshd[7355]: error: bad permissions: ignore key: /etc/ssh/ssh_host_ed25519_key
Nov 18 17:00:01 nas sshd[7355]: error: Could not load host key: /etc/ssh/ssh_host_ed25519_key

 

[cyberjock]

I'm not sure when this was added (my guess is recently unless you just didn't notice the problem before). But I can't say I'm surprised. With 664 permissions another user could add a key to your keyfile that could, in theory, grant them access to your server when access isn't desired. This is *definitely* a problem and, frankly, I'm glad it's rejecting files for that error. It's clearly a sign of user error and sshd should take that kind of action for security files it cannot even validate are untouched by %randomuser%.

 

[hugovsky]

Should I file a bug?

 

[jkh]

Should I file a bug?

No, it actually is behaving correctly now. :) Simply fix the permissions on your key file.

 

[hugovsky]

Thanks for replying. Will do.

 

[gadams999]

I've seen the same thing updating on the FreeNAS 9.3-BETA track to FreeNAS-9.3-BETA-1416270131-1. After reboot the permissions on the same file were changed by the update process.

What's the process to remount the USB flash drive to make the changes? New to FreeNAS, still getting used to searching for details via the site/forum.

 

[hugovsky]

I just go to /etc/ssh and do chmod 600 the certificate

 

[gadams999]

Once the system boots, aren't the filesystems then on tmpfs? When I did reboot, the permission changes are lost....

[root@freenas] /var/log# df -kh
Filesystem Size Used Avail Capacity Mounted on
freenas-boot/ROOT/FreeNAS-9.3-BETA-1416270131-1 6.3G 905M 5.4G 14% /
devfs 1.0k 1.0k 0B 100% /dev
tmpfs 32M 5.3M 26M 16% /etc
tmpfs 4.0M 8.0k 4M 0% /mnt
tmpfs 2.7G 15M 2.6G 1% /var

Nov 19 12:48:19 freenas sshd[4391]: error: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Nov 19 12:48:19 freenas sshd[4391]: error: @ WARNING: UNPROTECTED PRIVATE KEY FILE! @
Nov 19 12:48:19 freenas sshd[4391]: error: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Nov 19 12:48:19 freenas sshd[4391]: error: Permissions 0644 for '/etc/ssh/ssh_host_ed25519_key' are too open.
Nov 19 12:48:19 freenas sshd[4391]: error: It is required that your private key files are NOT accessible by others.
Nov 19 12:48:19 freenas sshd[4391]: error: This private key will be ignored.
Nov 19 12:48:19 freenas sshd[4391]: error: bad permissions: ignore key: /etc/ssh/ssh_host_ed25519_key
Nov 19 12:48:19 freenas sshd[4391]: error: Could not load host key: /etc/ssh/ssh_host_ed25519_key

edit to change quoted text to monospaced.

 

[cyberjock]

You have to mount the boot device as writable, make the changes, then make it read-only again. :P

 

[gadams999]

You have to mount the boot device as writable, make the changes, then make it read-only again. :p

:) Thanks cyberjock, that's the FAQ/guide I was looking for to do the RW mount. Being new to ZFS I didn't want to whack the partitions on the boot device. If no guide, I'll do me some research. Test system anyway, not a biggie if I mess things up.

 

[cyberjock]

I haven't tried this on 9.3, but pre-9.3 you used the commands:

mount -rw /
(do your changes)
mount -r /

They should stick if you reboot, assuming those work in 9.3 ;)

Try it and let me know.

 

[gadams999]

I can see the main boot drive as /, but a "mount -w" (-rw not valid) doesn't save the changes to /etc/ssh/... M y thought is since /etc is already mounted to a tmpfs filesystem the changes I'm making are lost on reboot.

Any other thoughts?

 

[cyberjock]

Yeah.. I forgot.. the changes you'll need to make should be done in /conf/base/etc. ;)