Closed mrzarquon closed 2 years ago
Before this fix it was possible to deploy a server but not be able to connect to it, due ssh ignoring the CA file due to invalid permissions.
The file is being created via the tee -a, so it inherits the default permission mask, which has group/world read in most instances.
This adds a chmod 600 /etc/ssh/sdm_ca.pub to both templates to ensure the right permissions are enforced
chmod 600 /etc/ssh/sdm_ca.pub
tl,dr; this enforces the same examples as per your docs - https://www.strongdm.com/docs/admin-ui-guide/infrastructure-management/servers/ssh-certificate-auth
Before this fix it was possible to deploy a server but not be able to connect to it, due ssh ignoring the CA file due to invalid permissions.
The file is being created via the tee -a, so it inherits the default permission mask, which has group/world read in most instances.
This adds a
chmod 600 /etc/ssh/sdm_ca.pub
to both templates to ensure the right permissions are enforced