preseed_base: chmod ssh host private keys to placate sshd

Otherwise:
  Could not load host key: /etc/ssh/ssh_host_ecdsa_key
  @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
  @         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
  @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
  Permissions 0640 for '/etc/ssh/ssh_host_ed25519_key' are too open.
  It is recommended that your private key files are NOT accessible by others.
  This private key will be ignored.
  key_load_private: bad permissions
  Could not load host key: /etc/ssh/ssh_host_ed25519_key

This seems to start happening with stretch.  Presumably stretch is
more annoyingly picky than jessie.

Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>

diff --git a/Osstest/Debian.pm b/Osstest/Debian.pm
index aff5acd515cd552febff25519126e3661a59cf9b..d76dd03d352550285cb11aa5b6ab2063cbb13bb3 100644 (file)
--- a/Osstest/Debian.pm
+++ b/Osstest/Debian.pm
@@ -871,6 +871,14 @@ END
        preseed_hook_overlay($ho, $sfx, $srcdir, $tfilename);
     });
 
+    # Host private keys in the overlays have to be group-readable
+    # at least, or no-one can use them.  But ssh is very fussy.
+    preseed_hook_command($ho, 'late_command', $sfx, <<END);
+#!/bin/sh
+set -ex
+chmod 600 /target/etc/ssh/ssh_host_*_key ||:
+END
+
     my $preseed = <<"END";
 d-i debian-installer/locale string en_GB
 d-i console-keymaps-at/keymap select gb