GNU bug report logs

#55661 /etc/ssh/authorized_keys.d contains keys that have been removed

PackageSource(s)Maintainer(s)
guix PTS Buildd Popcon
Reply or subscribe to this bug. View this bug as an mbox, status mbox, or maintainer mbox

Report forwarded to bug-guix@gnu.org:
bug#55661; Package guix. (Thu, 26 May 2022 15:03:01 GMT) (full text, mbox, link).

Acknowledgement sent to Ludovic Courtès <ludo@gnu.org>:
New bug report received and forwarded. Copy sent to bug-guix@gnu.org. (Thu, 26 May 2022 15:03:02 GMT) (full text, mbox, link).

Message #5 received at submit@debbugs.gnu.org (full text, mbox, reply):

From: Ludovic Courtès <ludo@gnu.org>
To: bug-guix@gnu.org
Subject: /etc/ssh/authorized_keys.d contains keys that have been removed
Date: Thu, 26 May 2022 17:02:00 +0200
In the wake of <https://issues.guix.gnu.org/55359#3>, I realized that
/etc/ssh/authorized_keys.d is stateful: we copy files from the
authorized-key directory there, but files already present remain.
IOW, keys remain authorized.

Why are we copying that directory instead of making a symlink to the
directory computed by ‘authorized-key-directory’ that’s in /gnu/store?

This is explained in ‘openssh-activation’:

        ;; 'sshd' complains if the authorized-key directory and its parents
        ;; are group-writable, which rules out /gnu/store.  Thus we copy the
        ;; authorized-key directory to /etc.

Anyway, that code does intend remove the directory before copying it,
but there’s a typo:

  (delete-file-recursively "/etc/authorized_keys.d")

Can you spot it?

Ludo’.

Added tag(s) security. Request was from Ludovic Courtès <ludo@gnu.org> to control@debbugs.gnu.org. (Thu, 26 May 2022 15:06:02 GMT) (full text, mbox, link).

Severity set to 'important' from 'normal' Request was from Ludovic Courtès <ludo@gnu.org> to control@debbugs.gnu.org. (Thu, 26 May 2022 15:06:02 GMT) (full text, mbox, link).

Reply sent to Ludovic Courtès <ludo@gnu.org>:
You have taken responsibility. (Thu, 26 May 2022 15:21:02 GMT) (full text, mbox, link).

Notification sent to Ludovic Courtès <ludo@gnu.org>:
bug acknowledged by developer. (Thu, 26 May 2022 15:21:02 GMT) (full text, mbox, link).

Message #14 received at 55661-done@debbugs.gnu.org (full text, mbox, reply):

From: Ludovic Courtès <ludo@gnu.org>
To: 55661-done@debbugs.gnu.org
Subject: Re: bug#55661: /etc/ssh/authorized_keys.d contains keys that have been removed
Date: Thu, 26 May 2022 17:20:34 +0200
Ludovic Courtès <ludo@gnu.org> skribis:

> Anyway, that code does intend remove the directory before copying it,
> but there’s a typo:
>
>   (delete-file-recursively "/etc/authorized_keys.d")

Fixed in 4577f3c6b60ea100e521c246fb169d6c05214b20.

Ludo'.

bug archived. Request was from Debbugs Internal Request <help-debbugs@gnu.org> to internal_control@debbugs.gnu.org. (Fri, 24 Jun 2022 11:24:07 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

debbugs.gnu.org maintainers <help-debbugs@gnu.org>. Last modified: Sun Dec 22 06:30:39 2024; Machine Name: wallace-server

GNU bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.