Thanks for the bug report Evgeny and for the initial investigation, Lena. The following commit "fixes" the issue:
commit f2d84f1b3fa68d77c99238d4c645d0266fae2a74 Author: d...@openbsd.org <d...@openbsd.org> AuthorDate: Wed May 13 09:55:57 2020 +0000 Commit: Damien Miller <d...@mindrot.org> CommitDate: Wed May 27 10:09:19 2020 +1000 I say "fixes" because it doesn't do exactly what Evgeny is asking in the bug description; that is, it doesn't make ssh-keygen preserve *all* of the permission bits. Instead, with the commit above applied we see that ssh-keygen in Focal/Bionic start behaving exactly like what we see in Impish/Jammy, and the group/all *read* permissions are preserved, but not the (e.g.) execute permission. We can see that on the output that Lena pasted. Either way, preserving the "read" permission bits for group/all and dropping everything else is done on purpose, as can be seen on this excerpt (from ssh-keygen.c:do_known_hosts): ... fchmod(fd, sb.st_mode & 0644); ... I have already backported & tested the patch on Bionic, and it works. I will start filing MPs tomorrow. ** Changed in: openssh (Ubuntu Bionic) Assignee: (unassigned) => Sergio Durigan Junior (sergiodj) ** Changed in: openssh (Ubuntu Focal) Assignee: (unassigned) => Sergio Durigan Junior (sergiodj) ** Changed in: openssh (Ubuntu Bionic) Status: Confirmed => Triaged ** Changed in: openssh (Ubuntu Bionic) Status: Triaged => In Progress ** Changed in: openssh (Ubuntu Focal) Status: Confirmed => In Progress -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1966591 Title: ssh-keygen -R changes known_hosts file permissions (mode) To manage notifications about this bug go to: https://bugs.launchpad.net/openssh/+bug/1966591/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs