cc_ssh: parse_ssh_config_map does not take into account user-specific Match section overrides
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| cloud-init |
Expired
|
Low
|
Unassigned | ||
Bug Description
cloud-init 21.2
User-specific Match sections can be provided in /etc/ssh/
cloud-init's parsing of sshd_config in ssh_util[1] is simplistic and treats each line in the sshd_config file as simple key/value pairs. Any Match sections defined below a global AuthorizedKeysFile setting will be overridden to the line containing an AuthorizedKeysFile definition, even if that definition should only be scoped to a specific user Match.
Here is an example adding a specific Match section which should only apply non-default AuthorizedKeysFile to the "custom" user, and how cloud-init incorrectly represents that content.
$ cat sshd_bad_parse.yaml <<EOF
#cloud-config
write_files:
- path: /etc/ssh/
content: |
Authorize
# Inject custom user-specific match which should only affect custom user
Match User custom
append: true
users:
- default
- name: custom
sudo: false
ssh_
- "ssh-rsa AAAAB3NzaC1yc2E
EOF
$ lxc launch ubuntu-daily:bionic ssh-b -c user.user-
$ lxc exec ssh-b -- python3 -c 'from cloudinit.ssh_util import parse_ssh_
.ssh/unique_
# Expected global authorizedkeysfile config to be .ssh/authorized
References:
[1] simple sshd_config key value parsing https:/
| Changed in cloud-init: | |
| status: | New → Triaged |
| importance: | Undecided → Low |
| James Falcon (falcojr) wrote | #1 |
| Changed in cloud-init: | |
| status: | Triaged → Expired |
Tracked in Github Issues as https:/