hi!
However, using stock initramfs-tools, the keys then get placed into a
world-readable initramfs, allowing any account on the server to
extract the host keys directly:
you're right.
but this is actually not an issue of the dropbear package. building the
initramfs is done with update-initramfs which uses mkinitramfs, both are part
of initramfs-tools.
so i guess this bugreport should be moved to the package initramfs-tools.
i know this can be done, but i haven't done that yet (and i'm not sure whether
this can only be done by package maintainers) and i guess having somebody who
knows what he's doing actually doing this is to be preferred... :)
if i got that right, possible straightforward solutions would be preferably to change
'umask 0022' in line 3 of /usr/sbin/mkinitramfs to 'umask 0077', or to add 'chmod 600
"${outfile}"' before the last if-block in /usr/sbin/mkinitramfs if the umask
shouldn't be changed for other reasons.
regards,
Chris
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
