Public bug reported: When using a central, root-owned directory to store ssh keys, cloud-init changes the permissions of the key directory which renders the keys unusable.
I'm using a similar approach as described here: https://www.ssh.com/ssh/key/ MOVING SSH KEYS TO A ROOT-OWNED LOCATION but I'm using the config AuthorizedKeysFile /etc/ssh/keys/%u In the original image, the permissions of the keys directory /etc/ssh/keys are 0755 - owned by root:root. It contains all the keys of the users. All keys have 0644 permissions and are also owned by root:root. (The background: Users are not allowed to change their ssh keys.) After the machine boots and cloud-init finishes, the permissions of the key directory /etc/ssh/keys is 0700 and it is impossible to use key- authentication, because sshd cannot access the key files. IMHO the reason for this is, that cloud-init changes the permission of the keys directory https://git.launchpad.net/cloud-init/tree/cloudinit/ssh_util.py#n259 util.ensure_dir(os.path.dirname(auth_key_fn), mode=0o700) which is wrong in this use case. ** Affects: cloud-init Importance: Undecided Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to cloud-init. https://bugs.launchpad.net/bugs/1839061 Title: Wrong access permissions of authorized keys directory when using root- owned location Status in cloud-init: New Bug description: When using a central, root-owned directory to store ssh keys, cloud- init changes the permissions of the key directory which renders the keys unusable. I'm using a similar approach as described here: https://www.ssh.com/ssh/key/ MOVING SSH KEYS TO A ROOT-OWNED LOCATION but I'm using the config AuthorizedKeysFile /etc/ssh/keys/%u In the original image, the permissions of the keys directory /etc/ssh/keys are 0755 - owned by root:root. It contains all the keys of the users. All keys have 0644 permissions and are also owned by root:root. (The background: Users are not allowed to change their ssh keys.) After the machine boots and cloud-init finishes, the permissions of the key directory /etc/ssh/keys is 0700 and it is impossible to use key-authentication, because sshd cannot access the key files. IMHO the reason for this is, that cloud-init changes the permission of the keys directory https://git.launchpad.net/cloud-init/tree/cloudinit/ssh_util.py#n259 util.ensure_dir(os.path.dirname(auth_key_fn), mode=0o700) which is wrong in this use case. To manage notifications about this bug go to: https://bugs.launchpad.net/cloud-init/+bug/1839061/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : [email protected] Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
