From 654809f126959865398467dcb6562d6227a9d5e0 Mon Sep 17 00:00:00 2001
From: David Myers <dem@myersnet.net>
Date: Tue, 5 Jan 2021 14:22:45 -0500
Subject: [PATCH] Explicitly set SSH permissions in base.sh (#1927)

---
 files/cloud-init/base.sh | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/files/cloud-init/base.sh b/files/cloud-init/base.sh
index 414a222..9c84e95 100644
--- a/files/cloud-init/base.sh
+++ b/files/cloud-init/base.sh
@@ -1,6 +1,7 @@
-#!/bin/bash
+#!/bin/sh
 set -eux
 
+# shellcheck disable=SC2230
 which sudo || until \
   apt-get update -y && \
   apt-get install sudo -yf --install-suggests; do
@@ -15,9 +16,10 @@ cat <<EOF >/etc/ssh/sshd_config
 {{ lookup('template', 'files/cloud-init/sshd_config') }}
 EOF
 
-test -d /home/algo/.ssh || (umask 077 && sudo -u algo mkdir -p /home/algo/.ssh/)
-echo "{{ lookup('file', '{{ SSH_keys.public }}') }}" | (umask 177 && sudo -u algo tee /home/algo/.ssh/authorized_keys)
+test -d /home/algo/.ssh || sudo -u algo mkdir -m 0700 /home/algo/.ssh
+echo "{{ lookup('file', '{{ SSH_keys.public }}') }}" | (sudo -u algo tee /home/algo/.ssh/authorized_keys && chmod 0600 /home/algo/.ssh/authorized_keys)
 
+# shellcheck disable=SC2015
 dpkg -l sshguard && until apt-get remove -y --purge sshguard; do
   sleep 3
 done || true