Fix

yosuke-wolfssl · yosuke-wolfssl · commit d97cbe8a6609 · 2026-06-11T08:19:19.000+09:00
diff --git a/.github/workflows/paramiko-sftp-test.yml b/.github/workflows/paramiko-sftp-test.yml
@@ -94,8 +94,12 @@ jobs:
           Subsystem sftp internal-sftp
           EOF
           
-          # Set proper permissions for keys
+          # wolfSSHd refuses to load a host key unless it is owned by root or
+          # the daemon's user and is not group or world writable. The daemon is
+          # launched with sudo (euid 0) while the checkout key is owned by the
+          # runner user, so make the key root-owned and 0600.
           chmod 600 ./keys/server-key.pem
+          sudo chown 0:0 ./keys/server-key.pem
           
           # Print debug info
           echo "Contents of sshd_config.txt:"
diff --git a/.github/workflows/sshd-test.yml b/.github/workflows/sshd-test.yml
@@ -107,6 +107,10 @@ jobs:
           sudo apt-get -y install valgrind
           touch sshd_config.txt
           ./configure --enable-all LDFLAGS="-L${{ github.workspace }}/build-dir/lib" CPPFLAGS="-I${{ github.workspace }}/build-dir/include -DWOLFSSH_NO_FPKI -DWOLFSSH_NO_SFTP_TIMEOUT -DWOLFSSH_MAX_SFTP_RW=4000000 -DMAX_PATH_SZ=120" --enable-static --disable-shared && make
+          # wolfSSHd refuses a host key not owned by root or the daemon's user.
+          # The daemon runs under sudo (euid 0), so make the key root-owned. Mode
+          # stays 644 (not group/world writable) so other steps can still read it.
+          sudo chown 0:0 ./keys/server-key.pem
           sudo timeout --preserve-status -s 2 5 valgrind --error-exitcode=1 --leak-check=full ./apps/wolfsshd/wolfsshd -D -f sshd_config -h ./keys/server-key.pem -d -p 22222
 
       # regression test, check that cat command does not hang
@@ -119,6 +123,8 @@ jobs:
           cat ./keys/hansel-*.pub > authorized_keys_test
           sed -i.bak "s/hansel/$USER/" ./authorized_keys_test
           ./configure --enable-all LDFLAGS="-L${{ github.workspace }}/build-dir/lib" CPPFLAGS="-I${{ github.workspace }}/build-dir/include -DWOLFSSH_NO_FPKI -DWOLFSSH_NO_SFTP_TIMEOUT -DWOLFSSH_MAX_SFTP_RW=4000000 -DMAX_PATH_SZ=120" --enable-static --disable-shared && make
+          # Host key must be root-owned for the sudo-launched daemon to load it.
+          sudo chown 0:0 ./keys/server-key.pem
           sudo ./apps/wolfsshd/wolfsshd -f sshd_config.txt -h ./keys/server-key.pem -p 22225
           chmod 600 ./keys/hansel-key-rsa.pem
           tail -c 50000 /dev/urandom > test
diff --git a/.github/workflows/x509-interop.yml b/.github/workflows/x509-interop.yml
@@ -158,6 +158,12 @@ jobs:
       - name: Start wolfSSHd
         working-directory: ./wolfssh/
         run: |
+          # wolfSSHd refuses a trust anchor not owned by root or the daemon's
+          # user. The daemon runs under sudo (euid 0), so make the host key,
+          # host cert, and user CA root-owned. Modes stay non-group/world
+          # writable so other steps can still read them.
+          sudo chown 0:0 ./keys/server-key.pem ./keys/server-cert.pem \
+            ./keys/ca-cert-ecc.pem
           sudo ./apps/wolfsshd/wolfsshd -f sshd_config -d \
             -E $PWD/wolfsshd-log.txt &
           for i in $(seq 1 20); do
