Fix host keys permissions on existing installations

openssh.spec

@@ -20,7 +20,7 @@
 Summary:	OpenSSH free Secure Shell (SSH) implementation
 Name:		openssh
 Version:	7.9p1
-Release:	4
+Release:	5
 License:	BSD
 Group:		Networking/Remote access
 Url:		http://www.openssh.com/
@@ -208,6 +208,18 @@ your host.
 
 %post server
 #!/bin/sh
+# ssh-keygen in ROSA's openssh < 7.9p1 made 640 permissions and OpenSSH server did not start, fix it on exisiting installations
+# we check for '= 640', but '!= 600' to keep custom user modifications
+for i in rsa dsa ecdsa ed25519
+do
+	key_file="/etc/ssh/ssh_host_${i}_key"
+	[ -f "$key_file" ] && [ "$(stat -c "%a" "$key_file")" = '640' ] && \
+	chmod 600 "$key_file" && \
+	FIXED_PERM='1' && \
+	echo "Permissions of SSH host key ${key_file} we incorrect, changed to 600"
+done
+# restarting sshd may break ssh connection, but it did not work with incorrect host keys permissions, so restart it
+[ "$FIXED_PERM" = '1' ] && ( set -x; systemctl restart sshd.service && set +x && echo "OpenSSH server restarted!" )
 %systemd_post sshd.service sshd.socket
 # Don't run sshd-keygen.service here, because otherwise all ISO images will have the same host keys
 # sshd-keygen.service is ran as a part of sshd.service