Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

profiles: allow-ssh: allow /etc/ssh/ssh_revoked_hosts #6309

Merged
merged 1 commit into from
Apr 20, 2024
Merged

profiles: allow-ssh: allow /etc/ssh/ssh_revoked_hosts #6309

merged 1 commit into from
Apr 20, 2024

Conversation

tools200ms
Copy link
Contributor

@tools200ms tools200ms commented Apr 12, 2024
edited by kmk3
Loading

Fixes #6308.

@kmk3 kmk3 changed the title Added line: "noblacklist /etc/ssh/ssh_revoked_hosts" profiles: allow-ssh: allow /etc/ssh/ssh_revoked_hosts Apr 12, 2024
kmk3
kmk3 reviewed Apr 12, 2024
View reviewed changes
Copy link
Collaborator

@kmk3 kmk3 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@tools200ms on Apr 12:

ssh in firejail fails to establish connection throwing the following message:

Error checking host key <key removed> in revoked keys file /etc/ssh/ssh_revoked_hosts: Permission denied
Host key verification failed.

I don't have this path on my system (openssh 9.7p1-1 on Artix) and I did not
find it on any ssh man pages, only RevokedHostKeys on ssh_config(5) and
RevokedKeys on sshd_config(5).

Where does this specific path come from?

It does not seem to be standardized; I found mentions of other similar paths:

  • /etc/ssh/revoked_host_keys
  • /etc/ssh/revoked_keys
  • /etc/ssh/ssh_revoked_hosts
  • /etc/ssh/sshd_revoked_keys

@tools200ms
Copy link
Contributor Author

@kmk3
It's from Gentoo net-misc/openssh package (9.6_p1-r3)

@tools200ms
Copy link
Contributor Author

I didn't found /etc/ssh/*revoked* elsewhere. Shouldn't be there the comment that /etc/ssh/ssh_revoked_hosts is a Gentoo specific file?

@kmk3
Copy link
Collaborator

kmk3 commented Apr 13, 2024

It's from Gentoo net-misc/openssh package (9.6_p1-r3)

Can you amend the commit message to add that detail?

If not I can add it later.

I didn't found /etc/ssh/*revoked* elsewhere. Shouldn't be there the comment
that /etc/ssh/ssh_revoked_hosts is a Gentoo specific file?

Sure, something like this would work:

noblacklist /etc/ssh/ssh_revoked_hosts # RevokedHostKeys on Gentoo

@tools200ms @kmk3
profiles: allow-ssh: allow /etc/ssh/ssh_revoked_hosts
9ce233e 
The path is used in the Gentoo net-misc/openssh package (9.6_p1-r3).

Fixes #6308.
@glitsj16 glitsj16 merged commit 3736925 into netblue30:master Apr 20, 2024
3 checks passed
kmk3 added a commit that referenced this pull request Apr 25, 2024
@kmk3
RELNOTES: add feature, modif and profile items
8b49fe5 
Relates to #6302 #6305 #6307 #6308 #6309.
@kmk3 kmk3 added the bugfix This fixes a bug label Dec 29, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@glitsj16 glitsj16 glitsj16 approved these changes

@kmk3 kmk3 kmk3 approved these changes

Assignees
No one assigned
Labels
bugfix This fixes a bug
Projects
Release 0.9.74
Status: Done (on RELNOTES)
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

ssh: failure because it cannot access /etc/ssh/ssh_revoked_hosts
3 participants
@tools200ms @kmk3 @glitsj16