Public bug reported:
Hi.
Consider the following sshd_config which is pretty standard with only an
added "Match" block.
---------8<------------------------------------
<...>
Port 22
AuthorizedKeysFile %h/.ssh/authorized_keys
<...>
Match group foobar
AuthorizedKeysFile /etc/ssh/authorizedkeys/%u
---------8<------------------------------------
When starting an instance pre-configured with the above sshd_config (in my case
AWS EC2), cloud-init will parse /etc/ssh/sshd_config to know where it should
put the public key of the default "ubuntu" user. The problem is that cloud-init
is not an sshd_config parser and looking at the code it just do a line-by-line
parsing.
In this case, it will pick up the AuthorizedKeysFile value that is in
the Match block because it's the last one in the file and will end up
putting the default user key under /etc/ssh/authorizedkeys/ubuntu,
preventing login into the instance because from the sshd point of view,
the correct key location for that user (which is *not* part of the
"foobar" group) is $HOMEDIR/.ssh/authorized_keys.
The obvious workaround is to append the default AuthorizedKeysFile at the end
of the file but it would have been nice to know it beforehand ;-)
I understand that line-by-line parsing is the easy way, but in the case of ssh
it is very error-prone and can lead to unexpected behaviour...
Thanks.
** Affects: cloud-init
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to cloud-init.
https://bugs.launchpad.net/bugs/1508543
Title:
AuthorizedKeysFile in match block will prevent default user login
Status in cloud-init:
New
Bug description:
Hi.
Consider the following sshd_config which is pretty standard with only
an added "Match" block.
---------8<------------------------------------
<...>
Port 22
AuthorizedKeysFile %h/.ssh/authorized_keys
<...>
Match group foobar
AuthorizedKeysFile /etc/ssh/authorizedkeys/%u
---------8<------------------------------------
When starting an instance pre-configured with the above sshd_config (in my
case AWS EC2), cloud-init will parse /etc/ssh/sshd_config to know where it
should put the public key of the default "ubuntu" user. The problem is that
cloud-init is not an sshd_config parser and looking at the code it just do a
line-by-line parsing.
In this case, it will pick up the AuthorizedKeysFile value that is in
the Match block because it's the last one in the file and will end up
putting the default user key under /etc/ssh/authorizedkeys/ubuntu,
preventing login into the instance because from the sshd point of
view, the correct key location for that user (which is *not* part of
the "foobar" group) is $HOMEDIR/.ssh/authorized_keys.
The obvious workaround is to append the default AuthorizedKeysFile at the end
of the file but it would have been nice to know it beforehand ;-)
I understand that line-by-line parsing is the easy way, but in the case of
ssh it is very error-prone and can lead to unexpected behaviour...
Thanks.
To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-init/+bug/1508543/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : [email protected]
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
