3146 – ssh-keygen -R changes permissions on existing file

Bug 3146 - ssh-keygen -R changes permissions on existing file

Summary: ssh-keygen -R changes permissions on existing file

Status:	CLOSED FIXED

Alias:	None

Product:	Portable OpenSSH
Classification:	Unclassified
Component:	ssh-keygen (show other bugs)
Version:	7.9p1
Hardware:	amd64 Linux

Importance:	P5 normal
Assignee:	Damien Miller

URL:
Keywords:

Depends on:
Blocks:	V_8_4
	Show dependency tree / graph

Reported:	2020-04-09 12:21 AEST by ed
Modified:	2021-03-04 09:54 AEDT (History)
CC List:	2 users (show)

See Also:

Attachments
preserve file mode (1.01 KB, patch) 2020-05-08 13:53 AEST, Damien Miller	dtucker: ok+	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description ed 2020-04-09 12:21:20 AEST

Using ssh-keygen -R to remove a key from a file with group/other read permission changes the permissions to remove any group and other bits.  This is good for ~/.ssh/known_hosts, which should be 600, but bad for /etc/ssh/ssh_known_hosts, which should be 644.

Inspecting the source, the function that removes a key sets umask 077 before creating the new file for the existing lines (except the one to be removed), but doesn't copy the permissions.

Comment 1 Damien Miller 2020-05-08 13:53:22 AEST

Created attachment 3392 [details]
preserve file mode

This preserves world and group readability when deleting or hashing known_hosts files.

Comment 2 Damien Miller 2020-05-13 19:56:19 AEST

This has been committed and will be in OpenSSH 8.4 - thanks!

Comment 3 ed 2020-05-16 12:05:58 AEST

Thank you for fixing this!

Comment 4 Damien Miller 2021-03-04 09:54:20 AEDT

close bugs that were resolved in OpenSSH 8.5 release cycle