GNU bug report logs - #55661
/etc/ssh/authorized_keys.d contains keys that have been removed

Previous Next

Package: guix;

Reported by: Ludovic Courtès <ludo <at> gnu.org>

Date: Thu, 26 May 2022 15:03:01 UTC

Severity: important

Tags: security

Done: Ludovic Courtès <ludo <at> gnu.org>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: help-debbugs <at> gnu.org (GNU bug Tracking System)
To: Ludovic Courtès <ludo <at> gnu.org>
Subject: bug#55661: closed (Re: bug#55661: /etc/ssh/authorized_keys.d
 contains keys that have been removed)
Date: Thu, 26 May 2022 15:21:03 +0000

[Message part 1 (text/plain, inline)]
Your bug report

#55661: /etc/ssh/authorized_keys.d contains keys that have been removed

which was filed against the guix package, has been closed.

The explanation is attached below, along with your original report.
If you require more details, please reply to 55661 <at> debbugs.gnu.org.

-- 
55661: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=55661
GNU Bug Tracking System
Contact help-debbugs <at> gnu.org with problems

[Message part 2 (message/rfc822, inline)]
From: Ludovic Courtès <ludo <at> gnu.org>
To: 55661-done <at> debbugs.gnu.org
Subject: Re: bug#55661: /etc/ssh/authorized_keys.d contains keys that have
 been removed
Date: Thu, 26 May 2022 17:20:34 +0200

Ludovic Courtès <ludo <at> gnu.org> skribis:

> Anyway, that code does intend remove the directory before copying it,
> but there’s a typo:
>
>   (delete-file-recursively "/etc/authorized_keys.d")

Fixed in 4577f3c6b60ea100e521c246fb169d6c05214b20.

Ludo'.


[Message part 3 (message/rfc822, inline)]
From: Ludovic Courtès <ludo <at> gnu.org>
To: bug-guix <at> gnu.org
Subject: /etc/ssh/authorized_keys.d contains keys that have been removed
Date: Thu, 26 May 2022 17:02:00 +0200

In the wake of <https://issues.guix.gnu.org/55359#3>, I realized that
/etc/ssh/authorized_keys.d is stateful: we copy files from the
authorized-key directory there, but files already present remain.
IOW, keys remain authorized.

Why are we copying that directory instead of making a symlink to the
directory computed by ‘authorized-key-directory’ that’s in /gnu/store?

This is explained in ‘openssh-activation’:

        ;; 'sshd' complains if the authorized-key directory and its parents
        ;; are group-writable, which rules out /gnu/store.  Thus we copy the
        ;; authorized-key directory to /etc.

Anyway, that code does intend remove the directory before copying it,
but there’s a typo:

  (delete-file-recursively "/etc/authorized_keys.d")

Can you spot it?

Ludo’.
This bug report was last modified 2 years and 361 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.