[Potential Security Issue] Leaking ssh host keys

[AnixPasBesoin]

Issue

By default, ssh host keys provided by the user will be mounted on /tmp/host-keys, as shown in the provided docker-compose template:

...
environment:
# Path where the SSH host keys will be mounted in the container
# in order to replace the default keys
# SSH_HOST_KEYS_PATH: /tmp/host-keys
...

And latter on, these files are copied to /etc/ssh/ using:

...
if [ -n "${SSH_HOST_KEYS_PATH-}" ]; then
    if [ -d "${SSH_HOST_KEYS_PATH}" ]; then
        cd /etc/ssh
        rm -rf ssh_host_*
        cp "${SSH_HOST_KEYS_PATH}"/ssh_host_* .
        chmod 600 ssh_host_*
        chmod 644 ssh_host_*.pub
    else
        warn "Directory '${SSH_HOST_KEYS_PATH}' not found."
        warn "Default SSH host keys will be used instead."
    fi
fi
...

The issue with the above is that /tmp can be read by any user, which means that the private host key can be read by non-priveleged users...

Fix

• Use a different default destination, and/or
• Delete files once copied to /etc/ssh

[rockstorm101]

Hi, good point. I'll have a look at it. Thanks a lot for reporting this!

[rockstorm101]

Hi @AnixPasBesoin, I've been looking at this.

I'm not sure how to handle this really. The user must and will mount their host keys wherever they want. I did a test and the private keys are generated already only readable by their owner (UID 1000 in the case shown below). When copied to the /etc/ssh they are purposely made read-only by the root user. And both directories /tmp/host-keys and /etc/ssh are accessible for any user. In this test case, the git user had UID 1005 which means it would not be able to read the private key in any of the two places. Correct me if I'm wrong but I think only the git user (apart from root) would be able to log onto this image, so there would be no security issue in this case. If the creator of the private keys and the git user happen to have the same UID, then yes, I guess the git user would be able to read it.

# ls -al /tmp/host-keys
[...]
drwxr-xr-x    2 1000     1000          4096 Aug 26  2022 .
-rw-------    1 1000     1000          2602 Apr 18  2022 ssh_host_rsa_key
-rw-r--r--    1 1000     1000           571 Apr 18  2022 ssh_host_rsa_key.pub
# ls -al /etc/ssh/
[...]
drwxr-xr-x    1 root     root          4096 Oct  5 12:32 .
-rw-------    1 root     root          2602 Oct  5 12:32 ssh_host_rsa_key
-rw-r--r--    1 root     root           571 Oct  5 12:32 ssh_host_rsa_key.pub
# cat /etc/passwd | grep git
git:x:1005:1005:Git User:/home/git:/usr/bin/git-shell

• Use a different default destination, and/or

We could suggest to mount the keys somewhere more obfuscated but the user is free to mount them anywhere really.

• Delete files once copied to /etc/ssh

Not an option since that would remove the original files from the host too.

I'm really out of ideas here so if you have any suggestions please let me know.