this repo has no description
Harden knot sshd host key perms in init container
ssh-keygen sets 0600 on create, but migrated-in keys from another
volume carry 0660 and trip sshd StrictModes with 'no hostkeys
available'. Explicitly chmod each key on every pod start so this
self-heals instead of silently breaking SSH pushes after a restart.
+6
+6
k8s/knot-personal/deployment.yaml
+6
k8s/knot-personal/deployment.yaml
···
31
31
mkdir -p /home/git/repositories /home/git/data /home/git/sshd-keys
32
32
chown 1000:1000 /home/git/repositories /home/git/data
33
33
chown 0:0 /home/git/sshd-keys
34
+
chmod 0700 /home/git/sshd-keys
34
35
for t in rsa ecdsa ed25519; do
35
36
f=/home/git/sshd-keys/ssh_host_${t}_key
36
37
[ -f "$f" ] || ssh-keygen -t "$t" -f "$f" -q -N ""
38
+
# sshd StrictModes rejects >0600 on host keys; enforce
39
+
# defensively — ssh-keygen sets 0600 on create, but pre-
40
+
# existing keys (e.g. migrated from another volume) may
41
+
# carry group perms that cause "bad permissions" bailouts.
42
+
chmod 0600 "$f" "${f}.pub" 2>/dev/null || true
37
43
done
38
44
volumeMounts:
39
45
- name: data