Ubuntu
cloud-init package

cloud-init should be able to switch off password auth in sshd

Bug #1053893 reported by Neil Wilson
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
cloud-init
Fix Released
Medium
Unassigned
cloud-init (Ubuntu)
Fix Released
Low
Unassigned

Bug Description

I've had a look but I can't see any facilities within cloud-init config system to manipulate the sshd configuration settings.

ISTM that cloud-init should open up sshd to the minimum required by the users configured by the cloud-init process (or if told to widen it further).

So password auth should be off unless passwords are specified. key auth should be off unless keys are retrieved, possibly sshd should not even be started if there are no users, etc.

At the moment the image I'm generating has password auth switched off in the default config, but obviously that means if somebody specifies a passworded user in the cloud-init config, then it won't work.

As an aside is there a general move to do all the 'cloud specific config' within cloud-init rather than in the image build?

ProblemType: Bug
DistroRelease: Ubuntu 12.04
Package: cloud-init (not installed)
ProcVersionSignature: Ubuntu 3.2.0-30.48-generic 3.2.27
Uname: Linux 3.2.0-30-generic x86_64
ApportVersion: 2.0.1-0ubuntu13
Architecture: amd64
CheckboxSubmission: 55cafa5b8b82ed224cc59d444cb1fc25
CheckboxSystem: 3e53d3ea5811723345f19eff5070f9ab
Date: Fri Sep 21 09:53:01 2012
InstallationMedia: Ubuntu 11.10 "Oneiric Ocelot" - Release amd64 (20111012)
SourcePackage: cloud-init
UpgradeStatus: Upgraded to precise on 2012-05-07 (136 days ago)

See original description
Revision history for this message
Neil Wilson (neil-aldur) wrote :
description: updated
Revision history for this message
Scott Moser (smoser) wrote : Re: [Bug 1053893] [NEW] cloud-init should be able to switch off password auth in sshd

> As an aside is there a general move to do all the 'cloud specific
> config' within cloud-init rather than in the image build?

Yes. Images should as much as possible be "generic ubuntu".

Scott Moser (smoser)
Changed in cloud-init (Ubuntu):
status: New → Triaged
importance: Undecided → Low
Scott Moser (smoser)
Changed in cloud-init:
status: New → Confirmed
importance: Undecided → Medium
Revision history for this message
Scott Moser (smoser) wrote :

I think this should be fixed in 0.7.5.
It doesn't do it automatically, but if you want pwauth on, you can just specify:
   ssh_pwauth: True

and it should enable it correctly.

I think i'd rather do require this to be explicitly done (it can be done in /etc/ cloud/cloud.cfg.d or user-data) than doing it automatically. Additionally, I don't think that there is a ton of value in disabling ssh key auth, or in not starting ssh.

I'm going to mark this fix-released based on the above. If you disagree, feel free to re-open and comment.

Changed in cloud-init:
status: Confirmed → Fix Released
Changed in cloud-init (Ubuntu):
status: Triaged → Fix Released
Revision history for this message
James Falcon (falcojr) wrote :

Tracked in Github Issues as https://github.com/canonical/cloud-init/issues/2299

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.