/etc/pve/priv/authorized_keys date stamp

[upnort]

I notice on a reboot, such as a kernel update, the date stamp on /etc/pve/priv/authorized_keys and known_hosts change to the time of the file restoration from the database, which occurs when booting.

I understand why this happens, but is there a way to preserve the date stamps? To me this is a security concern, albeit minor. The changed date stamp gives the appearance that somebody has modified the file.

Thanks again.

 

[t.lamprecht]

I understand why this happens, but is there a way to preserve the date stamps? To me this is a security concern, albeit minor. The changed date stamp gives the appearance that somebody has modified the file.

Not really, also just controlling the access times would not really guarantee you anything, as one can just fake those with something like:

# ls -l /etc/pve/priv/known_hosts
-rw------- 1 root www-data 1768 Jun 12 06:32 /etc/pve/priv/known_hosts

# touch -d "09 Jun 2019 16:21:42" /etc/pve/priv/known_hosts

# ls -l /etc/pve/priv/known_hosts
-rw------- 1 root www-data 1768 Jun  9 16:21 /etc/pve/priv/known_hosts

If one can modify this root only modifiable file one can also "touch" it to the old date it had prior to modification.

There are various other mechanisms for file integration checking, most simplest just save a hash sum from the file somewhere save and compare it:

# sha512sum /etc/pve/priv/known_hosts
3bf725c0eed349aec2568768c1ae54f3264c6b95ec32488f94be46d2417453d46059963d60e8d54935698fdbbebc68ccb2c24026b4ace052f0aae72fb1b2824f  /etc/pve/priv/known_hosts