The ebuild sets the file permission for sshd_config and all files inside sshd_config.d to 0600. This makes it impossible to run backup scripts as a non-root user. IMHO, file permissions 0640 or even 0644 were adequate for pure configuration files. These configuration files should never contain any sensitive information which might infringe the security of the system. The only sensitive information are private key files. Reproducible: Always Steps to Reproduce: 1. Emerge (or re-emerge during upgrade) net-misc/openssh Actual Results: File permissions for /etc/ssh/sshd_config and /etc/ssh/sshd_config.d/* are set to 0600. Expected Results: File permissions for /etc/ssh/sshd_config and /etc/ssh/sshd_config.d/* are set to 0640 or 0644.
I will note that the upstream Makefile installs sshd_config with mode 644. https://github.com/openssh/openssh-portable/blob/V_9_8_P1/Makefile.in#L443
Gentoo has been setting the mode on sshd_config to 0600 since 2002. No explanation was given in the relevant commit. https://gitweb.gentoo.org/archive/repo/gentoo-2.git/commit/?id=a2a04fc358934f38698118da30e326443b79acda