Bug 3146

Summary:

ssh-keygen -R changes permissions on existing file

Product:

Portable OpenSSH

Reporter:

Component:

ssh-keygen

Assignee:

Damien Miller <djm>

Status:

CLOSED FIXED

Severity:

normal

CC:

djm, dtucker

Priority:

Version:

7.9p1

Hardware:

amd64

OS:

Linux

Bug Depends on:

Bug Blocks:

3162

Attachments:

Description	Flags
preserve file mode	dtucker: ok+

Description ed 2020-04-09 12:21:20 AEST

Using ssh-keygen -R to remove a key from a file with group/other read permission changes the permissions to remove any group and other bits.  This is good for ~/.ssh/known_hosts, which should be 600, but bad for /etc/ssh/ssh_known_hosts, which should be 644.

Inspecting the source, the function that removes a key sets umask 077 before creating the new file for the existing lines (except the one to be removed), but doesn't copy the permissions.

Comment 1 Damien Miller 2020-05-08 13:53:22 AEST

Created attachment 3392 [details]
preserve file mode

This preserves world and group readability when deleting or hashing known_hosts files.

Comment 2 Damien Miller 2020-05-13 19:56:19 AEST

This has been committed and will be in OpenSSH 8.4 - thanks!

Comment 3 ed 2020-05-16 12:05:58 AEST

Thank you for fixing this!

Comment 4 Damien Miller 2021-03-04 09:54:20 AEDT

close bugs that were resolved in OpenSSH 8.5 release cycle