GNU bug report logs -
#55661
/etc/ssh/authorized_keys.d contains keys that have been removed
Previous Next
Reported by: Ludovic Courtès <ludo <at> gnu.org>
Date: Thu, 26 May 2022 15:03:01 UTC
Severity: important
Tags: security
Done: Ludovic Courtès <ludo <at> gnu.org>
Bug is archived. No further changes may be made.
Full log
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
In the wake of <https://issues.guix.gnu.org/55359#3>, I realized that
/etc/ssh/authorized_keys.d is stateful: we copy files from the
authorized-key directory there, but files already present remain.
IOW, keys remain authorized.
Why are we copying that directory instead of making a symlink to the
directory computed by ‘authorized-key-directory’ that’s in /gnu/store?
This is explained in ‘openssh-activation’:
;; 'sshd' complains if the authorized-key directory and its parents
;; are group-writable, which rules out /gnu/store. Thus we copy the
;; authorized-key directory to /etc.
Anyway, that code does intend remove the directory before copying it,
but there’s a typo:
(delete-file-recursively "/etc/authorized_keys.d")
Can you spot it?
Ludo’.
This bug report was last modified 2 years and 361 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.