[Cloud-init-dev] [Bug 1835114] Re: [MIR] ec2-instance-connect
** Tags added: id-5e21ca0949c79659969a46bd -- You received this bug notification because you are a member of cloud- init Commiters, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1835114 Title: [MIR] ec2-instance-connect Status in ec2-instance-connect package in Ubuntu: New Bug description: [Availability] ec2-instance-connect is in the Ubuntu archive, and available for all supported releases. It is available on all architectures despite only being useful on Amazon EC2 instances. [Rationale] This package is useful on Amazon EC2 instances to make use of a new feature: Instance Connect; which allows storing SSH keys for access online in the Amazon systems. These SSH keys are then retrieved to be used by the system's SSH service, collated with pre-existing keys as deployed on the system. Installing the package enables the use of Instance Connect on an instance. [Security] This is a new package, and as such has no security history to speak of. [Quality Assurance] The package consists in a few shell scripts that are difficult to test by themselves due to the high reliance on Amazon's Instance Connect service; which is online and limited to use on Amazon instances. Given that it's a new package, there are no long-term outstanding bugs in Ubuntu or Debian. The package is only maintained in Ubuntu at the moment. This package deals with special "hardware"; it is only useful on Amazon instances, and its support is required as a default deployment on such instances when deployed with Ubuntu. [UI Standards] Not applicable. This service is command-line only and has no configuration options. [Dependencies] There are no special dependencies to speak of. [Standards Compliance] This package has been thoroughly reviewed by a few Canonical engineers, there are no standards violations known. [Maintenance] This package is to be owned by the Ubuntu Foundations team. [Background Information] This is Amazon-specific, as previously mentioned. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ec2-instance-connect/+bug/1835114/+subscriptions ___ Mailing list: https://launchpad.net/~cloud-init-dev Post to : cloud-init-dev@lists.launchpad.net Unsubscribe : https://launchpad.net/~cloud-init-dev More help : https://help.launchpad.net/ListHelp
[Cloud-init-dev] [Bug 1835114] Re: [MIR] ec2-instance-connect
** Tags added: id-5e1e340b6338410899d33213 -- You received this bug notification because you are a member of cloud- init Commiters, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1835114 Title: [MIR] ec2-instance-connect Status in ec2-instance-connect package in Ubuntu: New Bug description: [Availability] ec2-instance-connect is in the Ubuntu archive, and available for all supported releases. It is available on all architectures despite only being useful on Amazon EC2 instances. [Rationale] This package is useful on Amazon EC2 instances to make use of a new feature: Instance Connect; which allows storing SSH keys for access online in the Amazon systems. These SSH keys are then retrieved to be used by the system's SSH service, collated with pre-existing keys as deployed on the system. Installing the package enables the use of Instance Connect on an instance. [Security] This is a new package, and as such has no security history to speak of. [Quality Assurance] The package consists in a few shell scripts that are difficult to test by themselves due to the high reliance on Amazon's Instance Connect service; which is online and limited to use on Amazon instances. Given that it's a new package, there are no long-term outstanding bugs in Ubuntu or Debian. The package is only maintained in Ubuntu at the moment. This package deals with special "hardware"; it is only useful on Amazon instances, and its support is required as a default deployment on such instances when deployed with Ubuntu. [UI Standards] Not applicable. This service is command-line only and has no configuration options. [Dependencies] There are no special dependencies to speak of. [Standards Compliance] This package has been thoroughly reviewed by a few Canonical engineers, there are no standards violations known. [Maintenance] This package is to be owned by the Ubuntu Foundations team. [Background Information] This is Amazon-specific, as previously mentioned. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ec2-instance-connect/+bug/1835114/+subscriptions ___ Mailing list: https://launchpad.net/~cloud-init-dev Post to : cloud-init-dev@lists.launchpad.net Unsubscribe : https://launchpad.net/~cloud-init-dev More help : https://help.launchpad.net/ListHelp
[Cloud-init-dev] [Bug 1835114] Re: [MIR] ec2-instance-connect
** Tags added: id-5cbf801e21a2a0662e2718a9 -- You received this bug notification because you are a member of cloud- init commiters, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1835114 Title: [MIR] ec2-instance-connect Status in ec2-instance-connect package in Ubuntu: Incomplete Bug description: [Availability] ec2-instance-connect is in the Ubuntu archive, and available for all supported releases. It is available on all architectures despite only being useful on Amazon EC2 instances. [Rationale] This package is useful on Amazon EC2 instances to make use of a new feature: Instance Connect; which allows storing SSH keys for access online in the Amazon systems. These SSH keys are then retrieved to be used by the system's SSH service, collated with pre-existing keys as deployed on the system. Installing the package enables the use of Instance Connect on an instance. [Security] This is a new package, and as such has no security history to speak of. [Quality Assurance] The package consists in a few shell scripts that are difficult to test by themselves due to the high reliance on Amazon's Instance Connect service; which is online and limited to use on Amazon instances. Given that it's a new package, there are no long-term outstanding bugs in Ubuntu or Debian. The package is only maintained in Ubuntu at the moment. This package deals with special "hardware"; it is only useful on Amazon instances, and its support is required as a default deployment on such instances when deployed with Ubuntu. [UI Standards] Not applicable. This service is command-line only and has no configuration options. [Dependencies] There are no special dependencies to speak of. [Standards Compliance] This package has been thoroughly reviewed by a few Canonical engineers, there are no standards violations known. [Maintenance] This package is to be owned by the Ubuntu Foundations team. [Background Information] This is Amazon-specific, as previously mentioned. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ec2-instance-connect/+bug/1835114/+subscriptions ___ Mailing list: https://launchpad.net/~cloud-init-dev Post to : cloud-init-dev@lists.launchpad.net Unsubscribe : https://launchpad.net/~cloud-init-dev More help : https://help.launchpad.net/ListHelp
[Cloud-init-dev] [Merge] ~fginther/cloud-init:feature/test-cc-ssh into cloud-init:master
Francis Ginther has proposed merging ~fginther/cloud-init:feature/test-cc-ssh into cloud-init:master. Commit message: Add unit tests for config/cc_ssh.py These tests focus on the apply_credentials method and the ssh setup for root and a distro default user. Requested reviews: cloud-init commiters (cloud-init-dev) For more details, see: https://code.launchpad.net/~fginther/cloud-init/+git/cloud-init/+merge/353816 This is based on https://code.launchpad.net/~fginther/cloud-init/+git/cloud-init/+merge/352053 with feedback from chad.smith incorporated. This has successfully built in a PPA for bionic: https://launchpad.net/~fginther/+archive/ubuntu/cloud-init-2/+build/15307849 -- Your team cloud-init commiters is requested to review the proposed merge of ~fginther/cloud-init:feature/test-cc-ssh into cloud-init:master. diff --git a/cloudinit/config/tests/test_ssh.py b/cloudinit/config/tests/test_ssh.py new file mode 100644 index 000..a7eb9bc --- /dev/null +++ b/cloudinit/config/tests/test_ssh.py @@ -0,0 +1,137 @@ +# This file is part of cloud-init. See LICENSE file for license information. + + +from cloudinit.config import cc_ssh +from cloudinit.tests.helpers import CiTestCase, mock + +MODPATH = "cloudinit.config.cc_ssh." + + +@mock.patch(MODPATH + "ssh_util.setup_user_keys") +class TestHandleSsh(CiTestCase): +"""Test cc_ssh handling of ssh config.""" + +with_logs = True + +def test_apply_credentials_with_user(self, m_setup_keys): +"""Apply keys for the given user and root.""" +keys = ["key1"] +user = "clouduser" +options = cc_ssh.DISABLE_ROOT_OPTS +cc_ssh.apply_credentials(keys, user, False, options) +self.assertEqual([mock.call(set(keys), user), + mock.call(set(keys), "root", options="")], + m_setup_keys.call_args_list) + +def test_apply_credentials_with_no_user(self, m_setup_keys): +"""Apply keys for root only.""" +keys = ["key1"] +user = None +options = cc_ssh.DISABLE_ROOT_OPTS +cc_ssh.apply_credentials(keys, user, False, options) +self.assertEqual([mock.call(set(keys), "root", options="")], + m_setup_keys.call_args_list) + +def test_apply_credentials_with_user_disable_root(self, m_setup_keys): +"""Apply keys for the given user and disable root ssh.""" +keys = ["key1"] +user = "clouduser" +options = cc_ssh.DISABLE_ROOT_OPTS +cc_ssh.apply_credentials(keys, user, True, options) +options = options.replace("$USER", user) +self.assertEqual([mock.call(set(keys), user), + mock.call(set(keys), "root", options=options)], + m_setup_keys.call_args_list) + +def test_apply_credentials_with_no_user_disable_root(self, m_setup_keys): +"""Apply keys no user and disable root ssh.""" +keys = ["key1"] +user = None +options = cc_ssh.DISABLE_ROOT_OPTS +cc_ssh.apply_credentials(keys, user, True, options) +options = options.replace("$USER", "NONE") +self.assertEqual([mock.call(set(keys), "root", options=options)], + m_setup_keys.call_args_list) + +@mock.patch(MODPATH + "ug_util.normalize_users_groups") +@mock.patch(MODPATH + "os.path.exists") +def test_handle_no_cfg(self, m_path_exists, m_nug, m_setup_keys): +"""Test handle with no config and no distro user.""" +cfg = {} +keys = ["key1"] +# Mock os.path.exits to True to short-circuit the key writing logic +m_path_exists.return_value = True +m_nug.return_value = ([], {}) +cloud = mock.Mock() +cloud.distro = mock.Mock() +cloud.get_public_ssh_keys = mock.Mock(return_value=keys) +cc_ssh.handle("name", cfg, cloud, self.logger, None) + +options = cc_ssh.DISABLE_ROOT_OPTS.replace("$USER", "NONE") +self.assertEqual([mock.call(set(keys), "root", options=options)], + m_setup_keys.call_args_list) + +@mock.patch(MODPATH + "ug_util.normalize_users_groups") +@mock.patch(MODPATH + "os.path.exists") +def test_handle_no_cfg_and_default_root(self, m_path_exists, m_nug, +m_setup_keys): +"""Test handle with no config and a default distro user.""" +cfg = {} +keys = ["key1"] +user = "clouduser" +
[Cloud-init-dev] [Merge] ~fginther/cloud-init:feature/ssh_disable_users into cloud-init:master
Francis Ginther has proposed merging ~fginther/cloud-init:feature/ssh_disable_users into cloud-init:master. Commit message: Add a configuration option, 'ssh_disable_users', for declaring a list of usernames to disable login via ssh and redirect to the default user. Also adds unit tests for config/cc_ssh.py to verify both the pre-existing and the new behavior. Requested reviews: cloud-init commiters (cloud-init-dev) Related bugs: Bug #1771198 in cloud-init: "Support disable_root-esque behaviour for other users" https://bugs.launchpad.net/cloud-init/+bug/1771198 For more details, see: https://code.launchpad.net/~fginther/cloud-init/+git/cloud-init/+merge/352053 This re-implements the 'disable_root' option for a list of users, instead of just root. Testing is provided through unit tests. These did not exist for the config/cc_ssh.py module, so a basic set of tests were created to cover the existing 'disable_root' behavior. These tests were then expanded an modified to match the 'ssh_disable_users' implementation. The 'disable_root: true' option still exists, but it will be converted to 'ssh_disable_users: ["root"]' for processing. -- Your team cloud-init commiters is requested to review the proposed merge of ~fginther/cloud-init:feature/ssh_disable_users into cloud-init:master. diff --git a/cloudinit/config/cc_ssh.py b/cloudinit/config/cc_ssh.py old mode 100755 new mode 100644 index 45204a0..52c819b --- a/cloudinit/config/cc_ssh.py +++ b/cloudinit/config/cc_ssh.py @@ -55,6 +55,11 @@ root login is disabled, and root login opts are set to:: no-port-forwarding,no-agent-forwarding,no-X11-forwarding +Login for other users can similarly be disabled with the ``ssh_disable_users`` +config list. Users in this list will have the same ``disable_root_opts`` +applied and references to the string ``$ROOT`` will be replace with the user +being redirected. + Authorized keys for the default user/first user defined in ``users`` can be specified using `ssh_authorized_keys``. Keys should be specified as a list of public keys. @@ -87,6 +92,7 @@ public keys. dsa_public: ssh-dsa B3NzaC1yc2EBIwAAAGEAoPRhIfLvedSDKw7Xd ... ssh_genkeytypes: disable_root: +ssh_disable_users: disable_root_opts: ssh_authorized_keys: - ssh-rsa B3NzaC1yc2EBIwAAAGEA3FSyQwBI6Z+nCSjUU ... @@ -104,7 +110,7 @@ from cloudinit import util DISABLE_ROOT_OPTS = ( "no-port-forwarding,no-agent-forwarding," "no-X11-forwarding,command=\"echo \'Please login as the user \\\"$USER\\\"" -" rather than the user \\\"root\\\".\';echo;sleep 10\"") +" rather than the user \\\"$ROOT\\\".\';echo;sleep 10\"") GENERATE_KEY_NAMES = ['rsa', 'dsa', 'ecdsa', 'ed25519'] KEY_FILE_TPL = '/etc/ssh/ssh_host_%s_key' @@ -183,33 +189,45 @@ def handle(_name, cfg, cloud, log, _args): try: (users, _groups) = ug_util.normalize_users_groups(cfg, cloud.distro) (user, _user_config) = ug_util.extract_default(users) +ssh_disable_users = util.get_cfg_option_list(cfg, "ssh_disable_users", + []) disable_root = util.get_cfg_option_bool(cfg, "disable_root", True) disable_root_opts = util.get_cfg_option_str(cfg, "disable_root_opts", DISABLE_ROOT_OPTS) +ssh_disable_users = list(set(ssh_disable_users).difference(set(users))) +for ssh_user in ssh_disable_users: +cloud.distro.create_user(ssh_user, **cfg) + +if disable_root: +ssh_disable_users.append("root") + keys = cloud.get_public_ssh_keys() or [] if "ssh_authorized_keys" in cfg: cfgkeys = cfg["ssh_authorized_keys"] keys.extend(cfgkeys) -apply_credentials(keys, user, disable_root, disable_root_opts) +apply_credentials(keys, user, ssh_disable_users, disable_root_opts) except Exception: util.logexc(log, "Applying ssh credentials failed!") -def apply_credentials(keys, user, disable_root, disable_root_opts): +def apply_credentials(keys, user, ssh_disable_users, disable_root_opts): keys = set(keys) +ssh_disable_users = set(ssh_disable_users) if user: ssh_util.setup_user_keys(keys, user) -if disable_root: -if not user: -user = "NONE" -key_prefix = disable_root_opts.replace('$USER', user) -else: -key_prefix = '' +if 'root' not in ssh_disable_users: +ssh_util.setup_user_keys(keys, 'root', options='') + +if not user: +user