Tracked in Github Issues as https://github.com/canonical/cloud- init/issues/3889
** Bug watch added: github.com/canonical/cloud-init/issues #3889 https://github.com/canonical/cloud-init/issues/3889 ** Changed in: cloud-init Status: Triaged => Expired -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to cloud-init. https://bugs.launchpad.net/bugs/1935857 Title: cc_ssh: parse_ssh_config_map does not take into account user-specific Match section overrides Status in cloud-init: Expired Bug description: cloud-init 21.2 User-specific Match sections can be provided in /etc/ssh/sshd_config to override global ssh config default settings such as AuthorizedKeysFile. cloud-init's parsing of sshd_config in ssh_util[1] is simplistic and treats each line in the sshd_config file as simple key/value pairs. Any Match sections defined below a global AuthorizedKeysFile setting will be overridden to the line containing an AuthorizedKeysFile definition, even if that definition should only be scoped to a specific user Match. Here is an example adding a specific Match section which should only apply non-default AuthorizedKeysFile to the "custom" user, and how cloud-init incorrectly represents that content. $ cat sshd_bad_parse.yaml <<EOF #cloud-config write_files: - path: /etc/ssh/sshd_config content: | AuthorizedKeysFile: .ssh/authorized_keys # Inject custom user-specific match which should only affect custom user Match User custom AuthorizedKeysFile .ssh/unique_ubuntu_keyfile append: true users: - default - name: custom sudo: false ssh_authorized_keys: - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDSL7uWGj8cgWyIOaspgKdVy0cKJ+UTjfv7jBOjG2H/GN8bJVXy72XAvnhM0dUM+CCs8FOf0YlPX+Frvz2hKInrmRhZVwRSL129PasD12MlI3l44u6IwS1o/W86Q+tkQYEljtqDOo0a+cOsaZkvUNzUyEXUwz/lmYa6G4hMKZH4NBj7nbAAF96wsMCoyNwbWryBnDYUr6wMbjRR1J9Pw7Xh7WRC73wy4Va2YuOgbD3V/5ZrFPLbWZW/7TFXVrql04QVbyei4aiFR5n//GvoqwQDNe58LmbzX/xvxyKJYdny2zXmdAhMxbrpFQsfpkJ9E/H5w0yOdSvnWbUoG5xNGoOB csmith@fringe # ssh-import-id lp:chad.smith" EOF $ lxc launch ubuntu-daily:bionic ssh-b -c user.user-data="$(cat sshd_bad_parse.yaml)" $ lxc exec ssh-b -- python3 -c 'from cloudinit.ssh_util import parse_ssh_config_map; print(parse_ssh_config_map("/etc/ssh/sshd_config")["authorizedkeysfile"])' .ssh/unique_ubuntu_keyfile # Expected global authorizedkeysfile config to be .ssh/authorized_keys References: [1] simple sshd_config key value parsing https://github.com/canonical/cloud-init/blob/main/cloudinit/ssh_util.py#L332-L339 To manage notifications about this bug go to: https://bugs.launchpad.net/cloud-init/+bug/1935857/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : [email protected] Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
