question on groups and group ownership on default centos7 image

[Joe Breen]

Hi,

We noticed some anomalies on the group settings of some of the files related to openssh in the Cloudlab default Centos7 image.  We were wondering if these settings were on purpose, an artifact of the image build process or something else?

Anomaly:

ssh-keysign has a group ID that does not map to a group in /etc/groups

[jbreen@vm0 ~]$ ll /usr/libexec/openssh/ssh-keysign
---x--s--x 1 root 155 465760 Aug  8  2019 /usr/libexec/openssh/ssh-keysign

Anomaly:

ssh private keys in /etc/ssh all belong to root instead of proper group

[jbreen@vm0 ~]$ ls -al /etc/ssh
total 652
drwxr-xr-x.  2 root root   4096 Apr 14 16:08 .
drwxr-xr-x. 97 root root  12288 Apr 14 17:10 ..
-rw-r--r--   1 root root 581843 Aug  8  2019 moduli
-rw-r--r--   1 root root   2276 Aug  8  2019 ssh_config
-rw-------   1 root root    672 Jul  6  2004 ssh_host_dsa_key
-rw-r--r--   1 root root    610 Jul  6  2004 ssh_host_dsa_key.pub
-rw-------   1 root root    227 Jun 28  2017 ssh_host_ecdsa_key
-rw-r--r--   1 root root    186 Jun 28  2017 ssh_host_ecdsa_key.pub
-rw-------   1 root root    419 Jun 28  2017 ssh_host_ed25519_key
-rw-r--r--   1 root root    106 Jun 28  2017 ssh_host_ed25519_key.pub
-rw-------   1 root root   1003 May 13  2014 ssh_host_key
-rw-r--r--   1 root root    668 May 13  2014 ssh_host_key.pub
-rw-------   1 root root   1679 May 13  2014 ssh_host_rsa_key
-rw-r--r--   1 root root    420 May 13  2014 ssh_host_rsa_key.pub
-rw-------   1 root root   4533 Apr 14 16:08 sshd_config
-rw-------   1 root root   4485 Oct  7  2020 sshd_config.bak

Issue:

These settings prevent us from setting up host trust between Cloudlab/Apt machines and other machines.  These settings do not seem to be congruent with default CentOS7 installation.

Default CentOS7 configuration:

sentry.chpc.utah.edu $ll /etc/ssh
total 604
-rw-r--r--. 1 root root     581843 Apr 10  2018 moduli
-rw-r--r--. 1 root root       2276 Apr 10  2018 ssh_config
-rw-r-----. 1 root ssh_keys    227 Feb 26  2019 ssh_host_ecdsa_key
-rw-r--r--. 1 root root        162 Feb 26  2019 ssh_host_ecdsa_key.pub
-rw-r-----. 1 root ssh_keys    387 Feb 26  2019 ssh_host_ed25519_key
-rw-r--r--. 1 root root         82 Feb 26  2019 ssh_host_ed25519_key.pub
-rw-r-----. 1 root ssh_keys   1679 Feb 26  2019 ssh_host_rsa_key
-rw-r--r--. 1 root root        382 Feb 26  2019 ssh_host_rsa_key.pub
-rw-------. 1 root root       3907 Apr 10  2018 sshd_config

sentry.chpc.utah.edu $ll /usr/libexec/openssh/ssh-keysign
---x--s--x. 1 root ssh_keys 469880 Apr 10  2018 /usr/libexec/openssh/ssh-keysign

Temporary Workaround:

[root@vm0 ~]# yum reinstall --downloadonly openssh
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
 * base: mirrors.radwebhosting.com
 * epel: d2lzkl7pfhq30w.cloudfront.net
 * extras: repos.forethought.net
 * updates: repos.eggycrew.com
Resolving Dependencies
--> Running transaction check
---> Package openssh.x86_64 0:7.4p1-21.el7 will be reinstalled
--> Finished Dependency Resolution

Dependencies Resolved

========================================================================================================================
 Package                     Arch                       Version                          Repository                Size
========================================================================================================================
Reinstalling:
 openssh                     x86_64                     7.4p1-21.el7                     base                     510 k

Transaction Summary
========================================================================================================================
Reinstall  1 Package

Total download size: 510 k
Installed size: 1.9 M
Background downloading packages, then exiting:
openssh-7.4p1-21.el7.x86_64.rpm                                                                  | 510 kB  00:00:00

[root@vm0 ssh]# chgrp ssh_keys *_key; chmod g+r *_key

[David M Johnson]

On 4/14/21 8:51 PM, Joe Breen wrote:
> Hi,
>
> We noticed some anomalies on the group settings of some of the files
> related to openssh in the Cloudlab default Centos7 image.  We were
> wondering if these settings were on purpose, an artifact of the image
> build process or something else?

Hi Joe. We'll look at fixing this issue in the next round of image
security updates; not sure on exact timing. This one just slipped
through the cracks... we have a post-imaging step that resets the
hostkeys and that didn't conceive of a non-root gid for these files
(redhat, always innovating). And clearly CentOS7 lost the ssh_keys
group somewhere; CentOS8 still has it.

David

> *Anomaly:*

> ssh-keysign has a group ID that does not map to a group in /etc/groups
>
> [jbreen@vm0 ~]$ ll /usr/libexec/openssh/ssh-keysign
> ---x--s--x 1 root 155 465760 Aug  8  2019 /usr/libexec/openssh/ssh-keysign
>

> *Anomaly:*

> ssh private keys in /etc/ssh all belong to root instead of proper group
>
> [jbreen@vm0 ~]$ ls -al /etc/ssh
> total 652
> drwxr-xr-x.  2 root root   4096 Apr 14 16:08 .
> drwxr-xr-x. 97 root root  12288 Apr 14 17:10 ..
> -rw-r--r--   1 root root 581843 Aug  8  2019 moduli
> -rw-r--r--   1 root root   2276 Aug  8  2019 ssh_config
> -rw-------   1 root root    672 Jul  6  2004 ssh_host_dsa_key
> -rw-r--r--   1 root root    610 Jul  6  2004 ssh_host_dsa_key.pub
> -rw-------   1 root root    227 Jun 28  2017 ssh_host_ecdsa_key
> -rw-r--r--   1 root root    186 Jun 28  2017 ssh_host_ecdsa_key.pub
> -rw-------   1 root root    419 Jun 28  2017 ssh_host_ed25519_key
> -rw-r--r--   1 root root    106 Jun 28  2017 ssh_host_ed25519_key.pub
> -rw-------   1 root root   1003 May 13  2014 ssh_host_key
> -rw-r--r--   1 root root    668 May 13  2014 ssh_host_key.pub
> -rw-------   1 root root   1679 May 13  2014 ssh_host_rsa_key
> -rw-r--r--   1 root root    420 May 13  2014 ssh_host_rsa_key.pub
> -rw-------   1 root root   4533 Apr 14 16:08 sshd_config
> -rw-------   1 root root   4485 Oct  7  2020 sshd_config.bak
>
>

> *Issue:*

> These settings prevent us from setting up host trust between
> Cloudlab/Apt machines and other machines.  These settings do not seem to
> be congruent with default CentOS7 installation.
>
>
>

> *Default CentOS7 configuration:*
> sentry.chpc.utah.edu <http://sentry.chpc.utah.edu> $ll /etc/ssh

> total 604
> -rw-r--r--. 1 root root     581843 Apr 10  2018 moduli
> -rw-r--r--. 1 root root       2276 Apr 10  2018 ssh_config
> -rw-r-----. 1 root ssh_keys    227 Feb 26  2019 ssh_host_ecdsa_key
> -rw-r--r--. 1 root root        162 Feb 26  2019 ssh_host_ecdsa_key.pub
> -rw-r-----. 1 root ssh_keys    387 Feb 26  2019 ssh_host_ed25519_key
> -rw-r--r--. 1 root root         82 Feb 26  2019 ssh_host_ed25519_key.pub
> -rw-r-----. 1 root ssh_keys   1679 Feb 26  2019 ssh_host_rsa_key
> -rw-r--r--. 1 root root        382 Feb 26  2019 ssh_host_rsa_key.pub
> -rw-------. 1 root root       3907 Apr 10  2018 sshd_config
>

> sentry.chpc.utah.edu <http://sentry.chpc.utah.edu> $ll

> /usr/libexec/openssh/ssh-keysign
> ---x--s--x. 1 root ssh_keys 469880 Apr 10  2018
> /usr/libexec/openssh/ssh-keysign
>
>

> *Temporary Workaround:*

>
> [root@vm0 ~]# yum reinstall --downloadonly openssh
> Loaded plugins: fastestmirror
> Loading mirror speeds from cached hostfile

>  * base: mirrors.radwebhosting.com <http://mirrors.radwebhosting.com>
>  * epel: d2lzkl7pfhq30w.cloudfront.net
> <http://d2lzkl7pfhq30w.cloudfront.net>
>  * extras: repos.forethought.net <http://repos.forethought.net>
>  * updates: repos.eggycrew.com <http://repos.eggycrew.com>

> Resolving Dependencies
> --> Running transaction check
> ---> Package openssh.x86_64 0:7.4p1-21.el7 will be reinstalled
> --> Finished Dependency Resolution
>
> Dependencies Resolved
>
> ========================================================================================================================
>  Package                     Arch                       Version        
>                  Repository                Size
> ========================================================================================================================
> Reinstalling:
>  openssh                     x86_64                     7.4p1-21.el7    
>                 base                     510 k
>
> Transaction Summary
> ========================================================================================================================
> Reinstall  1 Package
>
> Total download size: 510 k
> Installed size: 1.9 M
> Background downloading packages, then exiting:
> openssh-7.4p1-21.el7.x86_64.rpm                                        
>                          | 510 kB  00:00:00
>
>
> [root@vm0 ssh]# chgrp ssh_keys *_key; chmod g+r *_key
>

> --
> You received this message because you are subscribed to the Google
> Groups "cloudlab-users" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to cloudlab-user...@googlegroups.com
> <mailto:cloudlab-user...@googlegroups.com>.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/cloudlab-users/CAJ11-S_MGmooka%3DoQqMz4j1sYq%2BL-Sq7pXOqYoL90uEeG2PK%2Bg%40mail.gmail.com
> <https://groups.google.com/d/msgid/cloudlab-users/CAJ11-S_MGmooka%3DoQqMz4j1sYq%2BL-Sq7pXOqYoL90uEeG2PK%2Bg%40mail.gmail.com?utm_medium=email&utm_source=footer>.

[Joe Breen]

Thanks David, I appreciate it.  

We'll script our workaround for now until the new updates are in place for the image.  --Joe

To unsubscribe from this group and stop receiving emails from it, send an email to cloudlab-user...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/cloudlab-users/7b72266f-04db-2095-419b-985d1598596e%40cs.utah.edu.