Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-34643

[RHEL-10] Group ssh_keys is missing in rhel-10

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Undefined Undefined
    • None
    • rhel-10.0
    • openssh
    • None
    • None
    • 1
    • rhel-sst-security-crypto
    • ssg_security
    • 0.1
    • False
    • Hide

      None

      Show
      None
    • None
    • Crypto24Q2
    • None
    • None
    • None

      What were you trying to do that didn't work?
      Group ssh_keys is used to set the the group name for /etc/ssh/ssh_host*key, but the group ssh_keys is missing in rhel-10, so failed to set the /etc/ssh/ssh_host*key group to ssh_keys.

      Here is the failed info in the cloud-init.log:

      2024-04-28 08:41:26,689 - subp.py[DEBUG]: Running command ['ssh-keygen', '-t', 'rsa', '-N', '', '-f', '/etc/ssh/ssh_host_rsa_key'] with allowed return codes [0] (shell=False, capture=True)
      2024-04-28 08:41:26,911 - subp.py[DEBUG]: command ['ssh-keygen', '-t', 'rsa', '-N', '', '-f', '/etc/ssh/ssh_host_rsa_key'] took 0.2s to run
      2024-04-28 08:41:26,912 - util.py[DEBUG]: Group ssh_keys is not a valid group name
      2024-04-28 08:41:26,912 - util.py[DEBUG]: Restoring selinux mode for /etc/ssh (recursive=True)
      2024-04-28 08:41:26,919 - subp.py[DEBUG]: Running command ['ssh-keygen', '-t', 'ecdsa', '-N', '', '-f', '/etc/ssh/ssh_host_ecdsa_key'] with allowed return codes [0] (shell=False, capture=True)
      2024-04-28 08:41:26,926 - util.py[DEBUG]: Group ssh_keys is not a valid group name
      2024-04-28 08:41:26,926 - util.py[DEBUG]: Restoring selinux mode for /etc/ssh (recursive=True)
      2024-04-28 08:41:26,930 - subp.py[DEBUG]: Running command ['ssh-keygen', '-t', 'ed25519', '-N', '', '-f', '/etc/ssh/ssh_host_ed25519_key'] with allowed return codes [0] (shell=False, capture=True)
      2024-04-28 08:41:26,935 - util.py[DEBUG]: Group ssh_keys is not a valid group name

      The root should be ssh_keys in below output:

      $ ls -l /etc/ssh/ssh_host*key | awk '

      {print $1,$4,$9}'
      rw------ root /etc/ssh/ssh_host_ecdsa_key
      rw------ root /etc/ssh/ssh_host_ed25519_key
      rw------ root /etc/ssh/ssh_host_rsa_key



      Please provide the package NVR for which bug is seen:
      cloud-init-24.1.4-2.el10.noarch
      RHEL-10.0-20240411.13

      How reproducible:
      100%

      Steps to reproduce
      1. Deploy VM with cloud-init
      2. Check the /etc/ssh/ssh_host*key group

      Expected results
      The /etc/ssh/ssh_host*key group should be ssh_keys

      Actual results
      The /etc/ssh/ssh_host*key group is root

      $ ls -l /etc/ssh/ssh_host*key | awk '{print $1,$4,$9}

      '
      rw------ root /etc/ssh/ssh_host_ecdsa_key
      rw------ root /etc/ssh/ssh_host_ed25519_key
      rw------ root /etc/ssh/ssh_host_rsa_key

      Additional Info
      No such issue in rhel-9.5, there is group ssh_keys:
      $ getent group | grep ssh_keys
      ssh_keys:x:995:

              dbelyavs@redhat.com Dmitry Belyavskiy
              rhn-support-huzhao Huijuan Zhao
              Dmitry Belyavskiy Dmitry Belyavskiy
              SSG Security QE SSG Security QE
              Votes:
              0 Vote for this issue
              Watchers:
              8 Start watching this issue

                Created:
                Updated:
                Resolved: