This article applies to BoKS Manager 7.0.0 and BoKS Manager 6.7.x.

Description


When managing (adding or removing) SSH public keys for users, the file permissions on the authorized_keys file are unconditionally changed to mode 0644, making it world readable. Although the file content is not sensitive, mode 0600 is recommended. In addition, the permission change could potentially hide a problem where the file had been world writable.

Resolution / Workaround

To resolve this issue, download and apply HFBM-0176 (if running BoKS Manager 6.7.x) or HFBM-0177 (if running BoKS Manager 7.0), available for download from the HelpSystems Community Portal.

The default file permissions when creating the authorized_keys file are now 0600. If the file exists during an update neither owner, group nor permissions are changed. In addition the elements in the path to the authorized_keys file are checked for any security issues similar to the checks performed by sshd(8). If the file is located under the user's home directory, the elements from the home directory and up to the file are checked. Otherwise all directories are checked.

The checks include:

- The UID of the file and directories is either the owner's or is in the range 0 - 3.
- Neither the file nor directories are group or world writable.

Any problems found are logged to the BoKS audit log.


Still have questions? We can help. Submit a case to Technical Support.

Last Modified On: May 25, 2018