From 2b86acd332aac789c02f62e97ada65e8307e34c3 Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Mon, 17 Feb 2020 11:57:35 +0100
Subject: [PATCH] Correctly report invalid key permissions (#1801459)

---
 openssh-6.6p1-keyperm.patch | 29 +++++++++++++++++------------
 1 file changed, 17 insertions(+), 12 deletions(-)

diff --git a/openssh-6.6p1-keyperm.patch b/openssh-6.6p1-keyperm.patch
index fbe33b0..5e06940 100644
--- a/openssh-6.6p1-keyperm.patch
+++ b/openssh-6.6p1-keyperm.patch
@@ -1,8 +1,7 @@
-diff --git a/authfile.c b/authfile.c
-index e93d867..4fc5b3d 100644
---- a/authfile.c
-+++ b/authfile.c
-@@ -32,6 +32,7 @@
+diff -up openssh-8.2p1/authfile.c.keyperm openssh-8.2p1/authfile.c
+--- openssh-8.2p1/authfile.c.keyperm	2020-02-14 01:40:54.000000000 +0100
++++ openssh-8.2p1/authfile.c	2020-02-17 11:55:12.841729758 +0100
+@@ -31,6 +31,7 @@
  
  #include <errno.h>
  #include <fcntl.h>
@@ -10,17 +9,23 @@ index e93d867..4fc5b3d 100644
  #include <stdio.h>
  #include <stdarg.h>
  #include <stdlib.h>
-@@ -207,6 +208,13 @@ sshkey_perm_ok(int fd, const char *filename)
+@@ -101,7 +102,19 @@ sshkey_perm_ok(int fd, const char *filen
  #ifdef HAVE_CYGWIN
  	if (check_ntsec(filename))
  #endif
-+	if (st.st_mode & 040) {
-+		struct group *gr;
-+
-+		if ((gr = getgrnam("ssh_keys")) && (st.st_gid == gr->gr_gid))
-+			st.st_mode &= ~040;
-+	}
 +
  	if ((st.st_uid == getuid()) && (st.st_mode & 077) != 0) {
++		if (st.st_mode & 040) {
++			struct group *gr;
++
++			if ((gr = getgrnam("ssh_keys")) && (st.st_gid == gr->gr_gid)) {
++				/* The only additional bit is read
++				 * for ssh_keys group, which is fine */
++				if ((st.st_mode & 077) == 040 ) {
++					return 0;
++				}
++			}
++		}
  		error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
  		error("@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @");
+ 		error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");