[Cloud-init-dev] [Bug 1835114] Re: [MIR] ec2-instance-connect
** Tags added: id-5e21ca0949c79659969a46bd -- You received this bug notification because you are a member of cloud- init Commiters, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1835114 Title: [MIR] ec2-instance-connect Status in ec2-instance-connect package in Ubuntu: New Bug description: [Availability] ec2-instance-connect is in the Ubuntu archive, and available for all supported releases. It is available on all architectures despite only being useful on Amazon EC2 instances. [Rationale] This package is useful on Amazon EC2 instances to make use of a new feature: Instance Connect; which allows storing SSH keys for access online in the Amazon systems. These SSH keys are then retrieved to be used by the system's SSH service, collated with pre-existing keys as deployed on the system. Installing the package enables the use of Instance Connect on an instance. [Security] This is a new package, and as such has no security history to speak of. [Quality Assurance] The package consists in a few shell scripts that are difficult to test by themselves due to the high reliance on Amazon's Instance Connect service; which is online and limited to use on Amazon instances. Given that it's a new package, there are no long-term outstanding bugs in Ubuntu or Debian. The package is only maintained in Ubuntu at the moment. This package deals with special "hardware"; it is only useful on Amazon instances, and its support is required as a default deployment on such instances when deployed with Ubuntu. [UI Standards] Not applicable. This service is command-line only and has no configuration options. [Dependencies] There are no special dependencies to speak of. [Standards Compliance] This package has been thoroughly reviewed by a few Canonical engineers, there are no standards violations known. [Maintenance] This package is to be owned by the Ubuntu Foundations team. [Background Information] This is Amazon-specific, as previously mentioned. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ec2-instance-connect/+bug/1835114/+subscriptions ___ Mailing list: https://launchpad.net/~cloud-init-dev Post to : cloud-init-dev@lists.launchpad.net Unsubscribe : https://launchpad.net/~cloud-init-dev More help : https://help.launchpad.net/ListHelp
[Cloud-init-dev] [Bug 1835114] Re: [MIR] ec2-instance-connect
** Tags added: id-5e1e340b6338410899d33213 -- You received this bug notification because you are a member of cloud- init Commiters, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1835114 Title: [MIR] ec2-instance-connect Status in ec2-instance-connect package in Ubuntu: New Bug description: [Availability] ec2-instance-connect is in the Ubuntu archive, and available for all supported releases. It is available on all architectures despite only being useful on Amazon EC2 instances. [Rationale] This package is useful on Amazon EC2 instances to make use of a new feature: Instance Connect; which allows storing SSH keys for access online in the Amazon systems. These SSH keys are then retrieved to be used by the system's SSH service, collated with pre-existing keys as deployed on the system. Installing the package enables the use of Instance Connect on an instance. [Security] This is a new package, and as such has no security history to speak of. [Quality Assurance] The package consists in a few shell scripts that are difficult to test by themselves due to the high reliance on Amazon's Instance Connect service; which is online and limited to use on Amazon instances. Given that it's a new package, there are no long-term outstanding bugs in Ubuntu or Debian. The package is only maintained in Ubuntu at the moment. This package deals with special "hardware"; it is only useful on Amazon instances, and its support is required as a default deployment on such instances when deployed with Ubuntu. [UI Standards] Not applicable. This service is command-line only and has no configuration options. [Dependencies] There are no special dependencies to speak of. [Standards Compliance] This package has been thoroughly reviewed by a few Canonical engineers, there are no standards violations known. [Maintenance] This package is to be owned by the Ubuntu Foundations team. [Background Information] This is Amazon-specific, as previously mentioned. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ec2-instance-connect/+bug/1835114/+subscriptions ___ Mailing list: https://launchpad.net/~cloud-init-dev Post to : cloud-init-dev@lists.launchpad.net Unsubscribe : https://launchpad.net/~cloud-init-dev More help : https://help.launchpad.net/ListHelp
[Cloud-init-dev] [Bug 1835114] Re: [MIR] ec2-instance-connect
** Tags added: id-5cbf801e21a2a0662e2718a9 -- You received this bug notification because you are a member of cloud- init commiters, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1835114 Title: [MIR] ec2-instance-connect Status in ec2-instance-connect package in Ubuntu: Incomplete Bug description: [Availability] ec2-instance-connect is in the Ubuntu archive, and available for all supported releases. It is available on all architectures despite only being useful on Amazon EC2 instances. [Rationale] This package is useful on Amazon EC2 instances to make use of a new feature: Instance Connect; which allows storing SSH keys for access online in the Amazon systems. These SSH keys are then retrieved to be used by the system's SSH service, collated with pre-existing keys as deployed on the system. Installing the package enables the use of Instance Connect on an instance. [Security] This is a new package, and as such has no security history to speak of. [Quality Assurance] The package consists in a few shell scripts that are difficult to test by themselves due to the high reliance on Amazon's Instance Connect service; which is online and limited to use on Amazon instances. Given that it's a new package, there are no long-term outstanding bugs in Ubuntu or Debian. The package is only maintained in Ubuntu at the moment. This package deals with special "hardware"; it is only useful on Amazon instances, and its support is required as a default deployment on such instances when deployed with Ubuntu. [UI Standards] Not applicable. This service is command-line only and has no configuration options. [Dependencies] There are no special dependencies to speak of. [Standards Compliance] This package has been thoroughly reviewed by a few Canonical engineers, there are no standards violations known. [Maintenance] This package is to be owned by the Ubuntu Foundations team. [Background Information] This is Amazon-specific, as previously mentioned. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ec2-instance-connect/+bug/1835114/+subscriptions ___ Mailing list: https://launchpad.net/~cloud-init-dev Post to : cloud-init-dev@lists.launchpad.net Unsubscribe : https://launchpad.net/~cloud-init-dev More help : https://help.launchpad.net/ListHelp
[Cloud-init-dev] [Merge] ~fginther/cloud-init:feature/test-cc-ssh into cloud-init:master
Francis Ginther has proposed merging ~fginther/cloud-init:feature/test-cc-ssh
into cloud-init:master.
Commit message:
Add unit tests for config/cc_ssh.py
These tests focus on the apply_credentials method and the ssh setup for
root and a distro default user.
Requested reviews:
cloud-init commiters (cloud-init-dev)
For more details, see:
https://code.launchpad.net/~fginther/cloud-init/+git/cloud-init/+merge/353816
This is based on
https://code.launchpad.net/~fginther/cloud-init/+git/cloud-init/+merge/352053
with feedback from chad.smith incorporated.
This has successfully built in a PPA for bionic:
https://launchpad.net/~fginther/+archive/ubuntu/cloud-init-2/+build/15307849
--
Your team cloud-init commiters is requested to review the proposed merge of
~fginther/cloud-init:feature/test-cc-ssh into cloud-init:master.
diff --git a/cloudinit/config/tests/test_ssh.py b/cloudinit/config/tests/test_ssh.py
new file mode 100644
index 000..a7eb9bc
--- /dev/null
+++ b/cloudinit/config/tests/test_ssh.py
@@ -0,0 +1,137 @@
+# This file is part of cloud-init. See LICENSE file for license information.
+
+
+from cloudinit.config import cc_ssh
+from cloudinit.tests.helpers import CiTestCase, mock
+
+MODPATH = "cloudinit.config.cc_ssh."
+
+
+@mock.patch(MODPATH + "ssh_util.setup_user_keys")
+class TestHandleSsh(CiTestCase):
+"""Test cc_ssh handling of ssh config."""
+
+with_logs = True
+
+def test_apply_credentials_with_user(self, m_setup_keys):
+"""Apply keys for the given user and root."""
+keys = ["key1"]
+user = "clouduser"
+options = cc_ssh.DISABLE_ROOT_OPTS
+cc_ssh.apply_credentials(keys, user, False, options)
+self.assertEqual([mock.call(set(keys), user),
+ mock.call(set(keys), "root", options="")],
+ m_setup_keys.call_args_list)
+
+def test_apply_credentials_with_no_user(self, m_setup_keys):
+"""Apply keys for root only."""
+keys = ["key1"]
+user = None
+options = cc_ssh.DISABLE_ROOT_OPTS
+cc_ssh.apply_credentials(keys, user, False, options)
+self.assertEqual([mock.call(set(keys), "root", options="")],
+ m_setup_keys.call_args_list)
+
+def test_apply_credentials_with_user_disable_root(self, m_setup_keys):
+"""Apply keys for the given user and disable root ssh."""
+keys = ["key1"]
+user = "clouduser"
+options = cc_ssh.DISABLE_ROOT_OPTS
+cc_ssh.apply_credentials(keys, user, True, options)
+options = options.replace("$USER", user)
+self.assertEqual([mock.call(set(keys), user),
+ mock.call(set(keys), "root", options=options)],
+ m_setup_keys.call_args_list)
+
+def test_apply_credentials_with_no_user_disable_root(self, m_setup_keys):
+"""Apply keys no user and disable root ssh."""
+keys = ["key1"]
+user = None
+options = cc_ssh.DISABLE_ROOT_OPTS
+cc_ssh.apply_credentials(keys, user, True, options)
+options = options.replace("$USER", "NONE")
+self.assertEqual([mock.call(set(keys), "root", options=options)],
+ m_setup_keys.call_args_list)
+
+@mock.patch(MODPATH + "ug_util.normalize_users_groups")
+@mock.patch(MODPATH + "os.path.exists")
+def test_handle_no_cfg(self, m_path_exists, m_nug, m_setup_keys):
+"""Test handle with no config and no distro user."""
+cfg = {}
+keys = ["key1"]
+# Mock os.path.exits to True to short-circuit the key writing logic
+m_path_exists.return_value = True
+m_nug.return_value = ([], {})
+cloud = mock.Mock()
+cloud.distro = mock.Mock()
+cloud.get_public_ssh_keys = mock.Mock(return_value=keys)
+cc_ssh.handle("name", cfg, cloud, self.logger, None)
+
+options = cc_ssh.DISABLE_ROOT_OPTS.replace("$USER", "NONE")
+self.assertEqual([mock.call(set(keys), "root", options=options)],
+ m_setup_keys.call_args_list)
+
+@mock.patch(MODPATH + "ug_util.normalize_users_groups")
+@mock.patch(MODPATH + "os.path.exists")
+def test_handle_no_cfg_and_default_root(self, m_path_exists, m_nug,
+m_setup_keys):
+"""Test handle with no config and a default distro user."""
+cfg = {}
+keys = ["key1"]
+user = "clouduser"
+
[Cloud-init-dev] [Merge] ~fginther/cloud-init:feature/ssh_disable_users into cloud-init:master
Francis Ginther has proposed merging
~fginther/cloud-init:feature/ssh_disable_users into cloud-init:master.
Commit message:
Add a configuration option, 'ssh_disable_users', for declaring a list of
usernames to disable login via ssh and redirect to the default user.
Also adds unit tests for config/cc_ssh.py to verify both the pre-existing and
the new behavior.
Requested reviews:
cloud-init commiters (cloud-init-dev)
Related bugs:
Bug #1771198 in cloud-init: "Support disable_root-esque behaviour for other
users"
https://bugs.launchpad.net/cloud-init/+bug/1771198
For more details, see:
https://code.launchpad.net/~fginther/cloud-init/+git/cloud-init/+merge/352053
This re-implements the 'disable_root' option for a list of users, instead of
just root.
Testing is provided through unit tests. These did not exist for the
config/cc_ssh.py module, so a basic set of tests were created to cover the
existing 'disable_root' behavior. These tests were then expanded an modified to
match the 'ssh_disable_users' implementation. The 'disable_root: true' option
still exists, but it will be converted to 'ssh_disable_users: ["root"]' for
processing.
--
Your team cloud-init commiters is requested to review the proposed merge of
~fginther/cloud-init:feature/ssh_disable_users into cloud-init:master.
diff --git a/cloudinit/config/cc_ssh.py b/cloudinit/config/cc_ssh.py
old mode 100755
new mode 100644
index 45204a0..52c819b
--- a/cloudinit/config/cc_ssh.py
+++ b/cloudinit/config/cc_ssh.py
@@ -55,6 +55,11 @@ root login is disabled, and root login opts are set to::
no-port-forwarding,no-agent-forwarding,no-X11-forwarding
+Login for other users can similarly be disabled with the ``ssh_disable_users``
+config list. Users in this list will have the same ``disable_root_opts``
+applied and references to the string ``$ROOT`` will be replace with the user
+being redirected.
+
Authorized keys for the default user/first user defined in ``users`` can be
specified using `ssh_authorized_keys``. Keys should be specified as a list of
public keys.
@@ -87,6 +92,7 @@ public keys.
dsa_public: ssh-dsa B3NzaC1yc2EBIwAAAGEAoPRhIfLvedSDKw7Xd ...
ssh_genkeytypes:
disable_root:
+ssh_disable_users:
disable_root_opts:
ssh_authorized_keys:
- ssh-rsa B3NzaC1yc2EBIwAAAGEA3FSyQwBI6Z+nCSjUU ...
@@ -104,7 +110,7 @@ from cloudinit import util
DISABLE_ROOT_OPTS = (
"no-port-forwarding,no-agent-forwarding,"
"no-X11-forwarding,command=\"echo \'Please login as the user \\\"$USER\\\""
-" rather than the user \\\"root\\\".\';echo;sleep 10\"")
+" rather than the user \\\"$ROOT\\\".\';echo;sleep 10\"")
GENERATE_KEY_NAMES = ['rsa', 'dsa', 'ecdsa', 'ed25519']
KEY_FILE_TPL = '/etc/ssh/ssh_host_%s_key'
@@ -183,33 +189,45 @@ def handle(_name, cfg, cloud, log, _args):
try:
(users, _groups) = ug_util.normalize_users_groups(cfg, cloud.distro)
(user, _user_config) = ug_util.extract_default(users)
+ssh_disable_users = util.get_cfg_option_list(cfg, "ssh_disable_users",
+ [])
disable_root = util.get_cfg_option_bool(cfg, "disable_root", True)
disable_root_opts = util.get_cfg_option_str(cfg, "disable_root_opts",
DISABLE_ROOT_OPTS)
+ssh_disable_users = list(set(ssh_disable_users).difference(set(users)))
+for ssh_user in ssh_disable_users:
+cloud.distro.create_user(ssh_user, **cfg)
+
+if disable_root:
+ssh_disable_users.append("root")
+
keys = cloud.get_public_ssh_keys() or []
if "ssh_authorized_keys" in cfg:
cfgkeys = cfg["ssh_authorized_keys"]
keys.extend(cfgkeys)
-apply_credentials(keys, user, disable_root, disable_root_opts)
+apply_credentials(keys, user, ssh_disable_users, disable_root_opts)
except Exception:
util.logexc(log, "Applying ssh credentials failed!")
-def apply_credentials(keys, user, disable_root, disable_root_opts):
+def apply_credentials(keys, user, ssh_disable_users, disable_root_opts):
keys = set(keys)
+ssh_disable_users = set(ssh_disable_users)
if user:
ssh_util.setup_user_keys(keys, user)
-if disable_root:
-if not user:
-user = "NONE"
-key_prefix = disable_root_opts.replace('$USER', user)
-else:
-key_prefix = ''
+if 'root' not in ssh_disable_users:
+ssh_util.setup_user_keys(keys, 'root', options='')
+
+if not user:
+user
