GNU bug report logs - #55661
/etc/ssh/authorized_keys.d contains keys that have been removed

Previous Next

Package: guix;

Reported by: Ludovic Courtès <ludo <at> gnu.org>

Date: Thu, 26 May 2022 15:03:01 UTC

Severity: important

Tags: security

Done: Ludovic Courtès <ludo <at> gnu.org>

Bug is archived. No further changes may be made.

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 55661 in the body.
You can then email your comments to 55661 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to bug-guix <at> gnu.org:
bug#55661; Package guix. (Thu, 26 May 2022 15:03:01 GMT) Full text and rfc822 format available.
Acknowledgement sent to Ludovic Courtès <ludo <at> gnu.org>:
New bug report received and forwarded. Copy sent to bug-guix <at> gnu.org. (Thu, 26 May 2022 15:03:02 GMT) Full text and rfc822 format available.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Ludovic Courtès <ludo <at> gnu.org>
To: bug-guix <at> gnu.org
Subject: /etc/ssh/authorized_keys.d contains keys that have been removed
Date: Thu, 26 May 2022 17:02:00 +0200

In the wake of <https://issues.guix.gnu.org/55359#3>, I realized that
/etc/ssh/authorized_keys.d is stateful: we copy files from the
authorized-key directory there, but files already present remain.
IOW, keys remain authorized.

Why are we copying that directory instead of making a symlink to the
directory computed by ‘authorized-key-directory’ that’s in /gnu/store?

This is explained in ‘openssh-activation’:

        ;; 'sshd' complains if the authorized-key directory and its parents
        ;; are group-writable, which rules out /gnu/store.  Thus we copy the
        ;; authorized-key directory to /etc.

Anyway, that code does intend remove the directory before copying it,
but there’s a typo:

  (delete-file-recursively "/etc/authorized_keys.d")

Can you spot it?

Ludo’.
Added tag(s) security. Request was from Ludovic Courtès <ludo <at> gnu.org> to control <at> debbugs.gnu.org. (Thu, 26 May 2022 15:06:02 GMT) Full text and rfc822 format available.
Severity set to 'important' from 'normal' Request was from Ludovic Courtès <ludo <at> gnu.org> to control <at> debbugs.gnu.org. (Thu, 26 May 2022 15:06:02 GMT) Full text and rfc822 format available.
Reply sent to Ludovic Courtès <ludo <at> gnu.org>:
You have taken responsibility. (Thu, 26 May 2022 15:21:02 GMT) Full text and rfc822 format available.
Notification sent to Ludovic Courtès <ludo <at> gnu.org>:
bug acknowledged by developer. (Thu, 26 May 2022 15:21:02 GMT) Full text and rfc822 format available.

Message #14 received at 55661-done <at> debbugs.gnu.org (full text, mbox):

From: Ludovic Courtès <ludo <at> gnu.org>
To: 55661-done <at> debbugs.gnu.org
Subject: Re: bug#55661: /etc/ssh/authorized_keys.d contains keys that have
 been removed
Date: Thu, 26 May 2022 17:20:34 +0200

Ludovic Courtès <ludo <at> gnu.org> skribis:

> Anyway, that code does intend remove the directory before copying it,
> but there’s a typo:
>
>   (delete-file-recursively "/etc/authorized_keys.d")

Fixed in 4577f3c6b60ea100e521c246fb169d6c05214b20.

Ludo'.
bug archived. Request was from Debbugs Internal Request <help-debbugs <at> gnu.org> to internal_control <at> debbugs.gnu.org. (Fri, 24 Jun 2022 11:24:07 GMT) Full text and rfc822 format available.
This bug report was last modified 2 years and 361 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.