From cf4b9cfd42abd17247821fbad9aed0613a1b2c07 Mon Sep 17 00:00:00 2001
From: Khem Raj <raj.khem@gmail.com>
Date: Fri, 11 Oct 2024 12:42:51 -0700
Subject: [PATCH] openssh: Be more restrictive on private key file permissions
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Sometimes default permissions on filesystems can be more permissive
e.g. 0644, this can make the private key file created here to inherit
those permissions and these permissions can then cause ssh server to
not allow ssh connections due to non-secure permissions on file.

Reported-by: Jean-Michel Papy <jean-michel.papy@exail.com>
(From OE-Core rev: 5c9f456cc39ca25123249ecb32b311736bd4e1f8)

Signed-off-by: Khem Raj <raj.khem@gmail.com>
Cc: Jörg Sommer <joerg.sommer@navimatix.de>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
---
 meta/recipes-connectivity/openssh/openssh/sshd_check_keys | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta/recipes-connectivity/openssh/openssh/sshd_check_keys b/meta/recipes-connectivity/openssh/openssh/sshd_check_keys
index 606d1894b5..bbb6a14908 100644
--- a/meta/recipes-connectivity/openssh/openssh/sshd_check_keys
+++ b/meta/recipes-connectivity/openssh/openssh/sshd_check_keys
@@ -8,7 +8,7 @@ generate_key() {
     mkdir -p "$DIR"
     rm -f ${FILE}.tmp
     ssh-keygen -q -f "${FILE}.tmp" -N '' -t $TYPE
-
+    chmod go-rwx "$FILE.tmp"
     # Atomically rename file public key
     mv -f "${FILE}.tmp.pub" "${FILE}.pub"