config-ssh module doesn't respect Match conditions in sshd_config
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| cloud-init |
Expired
|
Low
|
Unassigned | ||
Bug Description
Summary
Per https:/
Match Introduces a conditional block. If all of the criteria on the Match line are satisfied, the keywords on the
following lines override those set in the global section of the config file, until either anotherMatch line or the end of the
file. If a keyword appears in multiple Match blocks that are satisfied, only the first instance of the keyword is applied.
Say I have a Match setup for a group to use a special location of an AuthorizedKeysFile, basically to move this out of the homedir these restricted users are jailed in.
Match Group my-special-group
AuthorizedK
Relevant Code:
https:/
and ultimately lies in the implementation at
https:/
the way parse_ssh_
Process
Setup an sshd_config utilizing a Match option, like
Match Group my-special-group
AuthorizedK
and then have cloud-init do it's ssh configuration
Current and expected result
Current: the last AuthorizedKeysFile statement wins, regardless if it's at the global level or underneath a Match
Expected: cloud-init only respects the globally defined AuthorizedKeysFile, or falls back to the standard homedir location
Screenshot
n/a
| description: | updated |
| description: | updated |
| Paride Legovini (paride) wrote | #1 |
| Changed in cloud-init: | |
| status: | New → Triaged |
| importance: | Undecided → Critical |
| importance: | Critical → Low |
| James Falcon (falcojr) wrote | #2 |
| Changed in cloud-init: | |
| status: | Triaged → Expired |
Hello Emmanual and thanks for your bug report. You are right: the current implementation doesn't allow for the more fine-grained setup you outlined using Match stanzas. I'm marking this report as Triaged as I think the issue is well understood; feel free to change the status back to New if you think that further discussion is needed. Thanks!