From unknown Sat Aug 09 20:51:02 2025 X-Loop: help-debbugs@gnu.org Subject: bug#55661: /etc/ssh/authorized_keys.d contains keys that have been removed Resent-From: Ludovic =?UTF-8?Q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Thu, 26 May 2022 15:03:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 55661 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: 55661@debbugs.gnu.org X-Debbugs-Original-To: bug-guix@gnu.org Received: via spool by submit@debbugs.gnu.org id=B.165357733327724 (code B ref -1); Thu, 26 May 2022 15:03:01 +0000 Received: (at submit) by debbugs.gnu.org; 26 May 2022 15:02:13 +0000 Received: from localhost ([127.0.0.1]:59739 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1nuF08-0007D6-V5 for submit@debbugs.gnu.org; Thu, 26 May 2022 11:02:13 -0400 Received: from lists.gnu.org ([209.51.188.17]:35322) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1nuF06-0007Cw-Cv for submit@debbugs.gnu.org; Thu, 26 May 2022 11:02:12 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:46540) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nuF02-0001qi-QB for bug-guix@gnu.org; Thu, 26 May 2022 11:02:08 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:36620) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nuF02-0000W5-GG for bug-guix@gnu.org; Thu, 26 May 2022 11:02:06 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:Date:Subject:To:From:in-reply-to: references; bh=VW/widbNm4ImkcZX8WKWW80PUreFImlDrnKBrYqKhos=; b=B2ixEdx7wZ8YnY ucZHtPAwMVwWocwRABJ2so9q//nRYcyOyp4+8K2qL776mI48CWwfWX+JEfyHJQ6oQYBk2hHkNrlt3 f857DS5Jzvre+/XrE1sYPJVS0ox2jO9aADmTMmydV8WxopQ4JPdQBZNNU2GXsJmG2aVn/YxwAQcWk bALq4GecFu7YgWjWdbSiBKgLtHlPYTzUIXCc1+FbAB4kuCYbOw7bsdKA8CqowncTU9LtYFRaSrOJN Isi+pBNQVLMePn5Sr/PxK6G8tsNuiwYxwhiSEnEMUsEsQv5jNwuz7ZCDSUKyIvBHgXJEGRiiVmu1A eLBb857YcDlobbdUSCHQ==; Received: from 91-160-117-201.subs.proxad.net ([91.160.117.201]:60198 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nuEzy-0002EO-MA for bug-guix@gnu.org; Thu, 26 May 2022 11:02:04 -0400 From: Ludovic =?UTF-8?Q?Court=C3=A8s?= X-URL: http://www.fdn.fr/~lcourtes/ X-Revolutionary-Date: 7 Prairial an 230 de la =?UTF-8?Q?R=C3=A9volution?= X-PGP-Key-ID: 0x090B11993D9AEBB5 X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5 X-OS: x86_64-pc-linux-gnu Date: Thu, 26 May 2022 17:02:00 +0200 Message-ID: <875ylsfic7.fsf@inria.fr> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.2 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -2.3 (--) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) In the wake of , I realized that /etc/ssh/authorized_keys.d is stateful: we copy files from the authorized-key directory there, but files already present remain. IOW, keys remain authorized. Why are we copying that directory instead of making a symlink to the directory computed by =E2=80=98authorized-key-directory=E2=80=99 that=E2=80= =99s in /gnu/store? This is explained in =E2=80=98openssh-activation=E2=80=99: ;; 'sshd' complains if the authorized-key directory and its parents ;; are group-writable, which rules out /gnu/store. Thus we copy the ;; authorized-key directory to /etc. Anyway, that code does intend remove the directory before copying it, but there=E2=80=99s a typo: (delete-file-recursively "/etc/authorized_keys.d") Can you spot it? Ludo=E2=80=99. From debbugs-submit-bounces@debbugs.gnu.org Thu May 26 11:05:47 2022 Received: (at control) by debbugs.gnu.org; 26 May 2022 15:05:47 +0000 Received: from localhost ([127.0.0.1]:59756 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1nuF3a-0007J4-UH for submit@debbugs.gnu.org; Thu, 26 May 2022 11:05:47 -0400 Received: from eggs.gnu.org ([209.51.188.92]:54526) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1nuF3Z-0007Iq-GD for control@debbugs.gnu.org; Thu, 26 May 2022 11:05:45 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:36676) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nuF3U-000184-As for control@debbugs.gnu.org; Thu, 26 May 2022 11:05:40 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-version:Subject:From:To:Date:in-reply-to: references; bh=dcf/zUqXKyKGVwPij0DTNzCw3+FPJLdd4qeGTLZxF5Y=; b=lyxaINo3EdfxIM jBVT+nGN8nVwVRKDNtO3n9qiVi6F9h7PU2wTKdZ74Nj1yVQ9vC+Fncg+5LakLXW0TONKYBxY3DySZ 3AdX3Q5OvyhJGZwaIEH9aHU2T9F5MhfSk6z3Yd1oGjGHnhzlYwIrshHm6RMdMUEJl4GLoXzIS+6EO 5+WrhipPpPZIewgqMBuk/tGgDVF7aI4CnKLIe3KT0F3KymCMfUZh3qxPjTlNrXWWlMWPsDHFNBTlT KOohfP+DXooYYv4GuA5cXxcVUxwdlq8Um6GeFUfGPu7vxCDhm7PiWgFYldT6Q2KGKHXmYlBLxzOXN DsyPNzFM6/qyJLWXtTzg==; Received: from 91-160-117-201.subs.proxad.net ([91.160.117.201]:56940 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nuF3T-0001BS-Tm for control@debbugs.gnu.org; Thu, 26 May 2022 11:05:40 -0400 Date: Thu, 26 May 2022 17:05:38 +0200 Message-Id: <87zgj4e3lp.fsf@gnu.org> To: control@debbugs.gnu.org From: =?utf-8?Q?Ludovic_Court=C3=A8s?= Subject: control message for bug #55661 MIME-version: 1.0 Content-type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: control X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) tags 55661 + security quit From debbugs-submit-bounces@debbugs.gnu.org Thu May 26 11:05:54 2022 Received: (at control) by debbugs.gnu.org; 26 May 2022 15:05:54 +0000 Received: from localhost ([127.0.0.1]:59760 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1nuF3i-0007JM-4j for submit@debbugs.gnu.org; Thu, 26 May 2022 11:05:54 -0400 Received: from eggs.gnu.org ([209.51.188.92]:54554) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1nuF3f-0007J3-Pg for control@debbugs.gnu.org; Thu, 26 May 2022 11:05:52 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:36678) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nuF3a-00018M-KG for control@debbugs.gnu.org; Thu, 26 May 2022 11:05:46 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-version:Subject:From:To:Date:in-reply-to: references; bh=sAyeT3iLF16zSFZ0RfwRdK/7g3qAR/RnzuNLVW96CeE=; b=LkZXlKU8AnJIuA ++E4UgHVaDhFUxrKhk1qKATriokcngBmK1Pzsa6DJipxWq0o3qaYLh4s0mQJ9896BPc883c7mlw9Q pFxAwU+C+7zHoAd4Q8TbQ98DTSuhIo6+v4rHyj1cUmJog3ZL67gKlfdM+GxOoRcDi1UO6MVzWZiob S9ObJcsrK+E8Pa96Fjk3vxJCxXinHtYe9RDiLKNvxPBbpXqrmPPsLl1z8aHD/eoWLAsnRqB3vAj0h 5Xz0MBiWypLd0R5Koi26Yiq3XWQvW1Vh/Xp+T80kCP/eGIXkL8qdEKoCPgKXgeJoviuy4H9Numof9 qa6nBgtJkycLjT8qjsKQ==; Received: from 91-160-117-201.subs.proxad.net ([91.160.117.201]:56948 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nuF3a-0001Ba-3U for control@debbugs.gnu.org; Thu, 26 May 2022 11:05:46 -0400 Date: Thu, 26 May 2022 17:05:44 +0200 Message-Id: <87y1yoe3lj.fsf@gnu.org> To: control@debbugs.gnu.org From: =?utf-8?Q?Ludovic_Court=C3=A8s?= Subject: control message for bug #55661 MIME-version: 1.0 Content-type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: control X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) severity 55661 important quit From unknown Sat Aug 09 20:51:02 2025 MIME-Version: 1.0 X-Mailer: MIME-tools 5.505 (Entity 5.505) X-Loop: help-debbugs@gnu.org From: help-debbugs@gnu.org (GNU bug Tracking System) To: Ludovic =?UTF-8?Q?Court=C3=A8s?= Subject: bug#55661: closed (Re: bug#55661: /etc/ssh/authorized_keys.d contains keys that have been removed) Message-ID: References: <87tu9ce2wt.fsf@gnu.org> <875ylsfic7.fsf@inria.fr> X-Gnu-PR-Message: they-closed 55661 X-Gnu-PR-Package: guix X-Gnu-PR-Keywords: security Reply-To: 55661@debbugs.gnu.org Date: Thu, 26 May 2022 15:21:03 +0000 Content-Type: multipart/mixed; boundary="----------=_1653578463-5551-1" This is a multi-part message in MIME format... ------------=_1653578463-5551-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Your bug report #55661: /etc/ssh/authorized_keys.d contains keys that have been removed which was filed against the guix package, has been closed. The explanation is attached below, along with your original report. If you require more details, please reply to 55661@debbugs.gnu.org. --=20 55661: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=3D55661 GNU Bug Tracking System Contact help-debbugs@gnu.org with problems ------------=_1653578463-5551-1 Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 7bit Received: (at 55661-done) by debbugs.gnu.org; 26 May 2022 15:20:44 +0000 Received: from localhost ([127.0.0.1]:59807 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1nuFI4-0001QY-7G for submit@debbugs.gnu.org; Thu, 26 May 2022 11:20:44 -0400 Received: from eggs.gnu.org ([209.51.188.92]:58902) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1nuFI2-0001QK-Ie for 55661-done@debbugs.gnu.org; Thu, 26 May 2022 11:20:43 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:37040) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nuFHx-0003uD-Av for 55661-done@debbugs.gnu.org; Thu, 26 May 2022 11:20:37 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:In-Reply-To:Date:References:Subject:To: From; bh=j1fR3usUcBl3qoI5lKsenH7XCkKdZq3X7KDZNtznWp4=; b=YEvgfNsDsni7OLwKtG/S 50VNnI5Hqz07SGcXw8cTKwNGa48/K2NUOpdNH7rv61PtBwlh8ykhPND4CBy4anuoVR9YppKK0jNXx 5qEMN+3JsrB9lFcg5boPqetb9Ps1+yOc8IX4Dteh2I+XVVp+pTBnBRmDgHzNV+M6i9klkwtwNKzNR wT0KItLrF5jtZRe1FrxIO2+1Lrjh9njni8NGW0/jev/vVRqcuZKYVUR+NBcJhntusFziSwRb22AnX yUbgX4sr2gAleg453nh96VREeCZy2ZffhL/PUDzRycVfyxWCBgrQTBMdEEryHhChfkwHHC1QAQDtc 07rKv4A47HSmrQ==; Received: from 91-160-117-201.subs.proxad.net ([91.160.117.201]:50989 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nuFHw-0002vr-V3 for 55661-done@debbugs.gnu.org; Thu, 26 May 2022 11:20:37 -0400 From: =?utf-8?Q?Ludovic_Court=C3=A8s?= To: 55661-done@debbugs.gnu.org Subject: Re: bug#55661: /etc/ssh/authorized_keys.d contains keys that have been removed References: <875ylsfic7.fsf@inria.fr> Date: Thu, 26 May 2022 17:20:34 +0200 In-Reply-To: <875ylsfic7.fsf@inria.fr> ("Ludovic =?utf-8?Q?Court=C3=A8s=22?= =?utf-8?Q?'s?= message of "Thu, 26 May 2022 17:02:00 +0200") Message-ID: <87tu9ce2wt.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.2 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 55661-done X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) Ludovic Court=C3=A8s skribis: > Anyway, that code does intend remove the directory before copying it, > but there=E2=80=99s a typo: > > (delete-file-recursively "/etc/authorized_keys.d") Fixed in 4577f3c6b60ea100e521c246fb169d6c05214b20. Ludo'. ------------=_1653578463-5551-1 Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 7bit Received: (at submit) by debbugs.gnu.org; 26 May 2022 15:02:13 +0000 Received: from localhost ([127.0.0.1]:59739 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1nuF08-0007D6-V5 for submit@debbugs.gnu.org; Thu, 26 May 2022 11:02:13 -0400 Received: from lists.gnu.org ([209.51.188.17]:35322) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1nuF06-0007Cw-Cv for submit@debbugs.gnu.org; Thu, 26 May 2022 11:02:12 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:46540) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nuF02-0001qi-QB for bug-guix@gnu.org; Thu, 26 May 2022 11:02:08 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:36620) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nuF02-0000W5-GG for bug-guix@gnu.org; Thu, 26 May 2022 11:02:06 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:Date:Subject:To:From:in-reply-to: references; bh=VW/widbNm4ImkcZX8WKWW80PUreFImlDrnKBrYqKhos=; b=B2ixEdx7wZ8YnY ucZHtPAwMVwWocwRABJ2so9q//nRYcyOyp4+8K2qL776mI48CWwfWX+JEfyHJQ6oQYBk2hHkNrlt3 f857DS5Jzvre+/XrE1sYPJVS0ox2jO9aADmTMmydV8WxopQ4JPdQBZNNU2GXsJmG2aVn/YxwAQcWk bALq4GecFu7YgWjWdbSiBKgLtHlPYTzUIXCc1+FbAB4kuCYbOw7bsdKA8CqowncTU9LtYFRaSrOJN Isi+pBNQVLMePn5Sr/PxK6G8tsNuiwYxwhiSEnEMUsEsQv5jNwuz7ZCDSUKyIvBHgXJEGRiiVmu1A eLBb857YcDlobbdUSCHQ==; Received: from 91-160-117-201.subs.proxad.net ([91.160.117.201]:60198 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nuEzy-0002EO-MA for bug-guix@gnu.org; Thu, 26 May 2022 11:02:04 -0400 From: =?utf-8?Q?Ludovic_Court=C3=A8s?= To: bug-guix@gnu.org Subject: /etc/ssh/authorized_keys.d contains keys that have been removed X-URL: http://www.fdn.fr/~lcourtes/ X-Revolutionary-Date: 7 Prairial an 230 de la =?utf-8?Q?R=C3=A9volution?= X-PGP-Key-ID: 0x090B11993D9AEBB5 X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5 X-OS: x86_64-pc-linux-gnu Date: Thu, 26 May 2022 17:02:00 +0200 Message-ID: <875ylsfic7.fsf@inria.fr> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.2 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) In the wake of , I realized that /etc/ssh/authorized_keys.d is stateful: we copy files from the authorized-key directory there, but files already present remain. IOW, keys remain authorized. Why are we copying that directory instead of making a symlink to the directory computed by =E2=80=98authorized-key-directory=E2=80=99 that=E2=80= =99s in /gnu/store? This is explained in =E2=80=98openssh-activation=E2=80=99: ;; 'sshd' complains if the authorized-key directory and its parents ;; are group-writable, which rules out /gnu/store. Thus we copy the ;; authorized-key directory to /etc. Anyway, that code does intend remove the directory before copying it, but there=E2=80=99s a typo: (delete-file-recursively "/etc/authorized_keys.d") Can you spot it? Ludo=E2=80=99. ------------=_1653578463-5551-1--