Merge pull request #2724 from immarvin/onissue

fix issue Wrong permissions for ssh host private keys on CentOS 7 #2617

xCAT-server/sbin/xcatconfig

@@ -969,6 +969,10 @@ sub genSSHNodeHostKey
     #
     # generate new hostkeys
     #
+
+    my ($rlogin,$rpass,$ruid,$rgid) = getpwnam("root");
+    my ($sname, $spasswd,$sgid,$smembers)=getgrnam("ssh_keys");
+    my @sshkeylist;
     xCAT::MsgUtils->message('I', "Generating new node hostkeys...");
     xCAT::MsgUtils->message('I', "Generating SSH2 RSA Key...");
     my $cmd =
@@ -978,6 +982,10 @@ sub genSSHNodeHostKey
     {
         xCAT::MsgUtils->message('E', "Could not generate SSH2 RSA key.");
     }
+    else{
+        push @sshkeylist,"/etc/xcat/hostkeys/ssh_host_rsa_key";
+    }
+
 
     xCAT::MsgUtils->message('I', "Generating SSH2 DSA Key...");
     $cmd =
@@ -987,6 +995,9 @@ sub genSSHNodeHostKey
     {
         xCAT::MsgUtils->message('E', "Could not generate SSH2 DSA key.");
     }
+    else{
+        push @sshkeylist,"/etc/xcat/hostkeys/ssh_host_dsa_key";
+    }
 
     # see if this system supports the ecdsa
     xCAT::Utils->runcmd('rm -rf /tmp/ecdsa_key >/dev/null 2>&1 ; /usr/bin/ssh-keygen -t ecdsa -f /tmp/ecdsa_key  -P "" &>/dev/null', 0);
@@ -999,8 +1010,17 @@ sub genSSHNodeHostKey
         {
             xCAT::MsgUtils->message('E', "Could not generate SSH2 ECDSA key.");
         }
+	else{
+            push @sshkeylist,"/etc/xcat/hostkeys/ssh_host_ecdsa_key";
+	}
     }
 
+    if(@sshkeylist){
+        if(defined $ruid && defined $sgid){
+            chown $ruid,$sgid,@sshkeylist;
+        }
+        chmod 0640,@sshkeylist;
+    }
 
     # copy the public keys to install directory
     $cmd =

xCAT/postscripts/remoteshell

@@ -149,7 +149,8 @@ if [ $? -ne 0 ]; then
                 getcredentials.awk ssh_dsa_hostkey | grep -v '<'|sed -e 's/&lt;/</' -e 's/&gt;/>/' -e 's/&amp;/&/' -e 's/&quot/"/' -e "s/&apos;/'/" > /etc/ssh/ssh_host_dsa_key
                 MYCONT=`cat /etc/ssh/ssh_host_dsa_key`
    done
-   chmod 600 /etc/ssh/ssh_host_dsa_key
+   chown root:ssh_keys /etc/ssh/ssh_host_dsa_key
+   chmod 640 /etc/ssh/ssh_host_dsa_key
    if ! grep "PRIVATE KEY" /etc/ssh/ssh_host_dsa_key > /dev/null 2>&1 ; then
         rm /etc/ssh/ssh_host_dsa_key
 	else
@@ -215,13 +216,14 @@ if [ $? -ne 0 ]; then
     		getcredentials.awk ssh_rsa_hostkey | grep -v '<'|sed -e 's/&lt;/</' -e 's/&gt;/>/' -e 's/&amp;/&/' -e 's/&quot/"/' -e "s/&apos;/'/" > /etc/ssh/ssh_host_rsa_key
     		MYCONT=`cat /etc/ssh/ssh_host_rsa_key`
 	done
-	chmod 600 /etc/ssh/ssh_host_rsa_key
+        chown root:ssh_keys /etc/ssh/ssh_host_rsa_key
+        chmod 640 /etc/ssh/ssh_host_rsa_key
 	if ! grep "PRIVATE KEY" /etc/ssh/ssh_host_rsa_key > /dev/null 2>&1 ; then
    		rm /etc/ssh/ssh_host_rsa_key
 	else
 		ssh-keygen -y -f /etc/ssh/ssh_host_rsa_key > /etc/ssh/ssh_host_rsa_key.pub
-		chmod 644 /etc/ssh/ssh_host_rsa_key.pub
-		chown root /etc/ssh/ssh_host_rsa_key.pub
+                chmod 644 /etc/ssh/ssh_host_rsa_key.pub
+                chown root /etc/ssh/ssh_host_rsa_key.pub
 	fi
 else
 	#This is an error message
@@ -286,7 +288,8 @@ if ssh-keygen -t ecdsa -f /tmp/ecdsa_key -P "" &>/dev/null ; then
     		getcredentials.awk ssh_ecdsa_hostkey | grep -v '<'|sed -e 's/&lt;/</' -e 's/&gt;/>/' -e 's/&amp;/&/' -e 's/&quot/"/' -e "s/&apos;/'/" > /etc/ssh/ssh_host_ecdsa_key
     		MYCONT=`cat /etc/ssh/ssh_host_ecdsa_key`
 	done
-	chmod 600 /etc/ssh/ssh_host_ecdsa_key
+	chown root:ssh_keys /etc/ssh/ssh_host_ecdsa_key
+	chmod 640 /etc/ssh/ssh_host_ecdsa_key
 	if ! grep "PRIVATE KEY" /etc/ssh/ssh_host_ecdsa_key > /dev/null 2>&1 ; then
    		rm /etc/ssh/ssh_host_ecdsa_key
 	else