SSH keys not updated correctly when sshd_config "AuthorizedKeysFile" contains multiple values

Bug #1404060 reported by Alex Gottschalk on 2014-12-19
46
This bug affects 8 people
Affects Status Importance Assigned to Milestone
cloud-init
Medium
Unassigned

Bug Description

I have overridden the AuthorizedKeysFile stanza in my site's sshd_config, as follows:

AuthorizedKeysFile %h/.ssh/authorized_keys /etc/ssh/authorized_keys/%u

This allows two locations for authorized keys, which is useful for us because reasons.

It looks like cloud-init is incorrectly parsing this line to determine where to drop user keys, as I'm ending up with the following file:

"/home/ubuntu/.ssh/authorized_keys /etc/ssh/authorized_keys/ubuntu" (note that the space is part of the directory name under .ssh)

I think cloud-init should probably treat whitespace as a field separator here, and append keys to all AuthorizedKeysFile entries listed.

Related branches

summary: - authorized_keys not updated when sshd_config "AuthorizedKeysFile"
+ SSH keys not updated correctly when sshd_config "AuthorizedKeysFile"
contains multiple values

While a very crude workaround, this is good enough for my purposes.

Improved patch using shlex.split for proper handling of shell-style quoting/escaping of whitespace.

Ted Wexler (twexler) wrote :

This bug partially effects me. I've got 2 of those stanzas in /etc/sshd_config, and it always chooses the last one.

Edmund Rhudy (erhudy) wrote :

Adding a vote to this bug, because running into this was pretty annoying.

karena (trawler) wrote :

Yes, would very much like to see this bug fixed. I've also added a bug report (1600223) bug closed it as a duplicate after finding this report. Would very much like to see this bug fixed.

Scott Moser (smoser) on 2016-07-26
Changed in cloud-init:
status: New → Confirmed
importance: Undecided → Medium
status: Confirmed → Triaged
milestone: none → 0.7.7
Scott Moser (smoser) on 2016-08-10
Changed in cloud-init:
milestone: 0.7.7 → 0.7.8
Scott Moser (smoser) on 2016-09-12
Changed in cloud-init:
milestone: 0.7.8 → 0.7.9
Scott Moser (smoser) on 2016-12-23
Changed in cloud-init:
milestone: 0.7.9 → none
milestone: none → 0.7.10
Robert C Jennings (rcj) wrote :

Handling of ‘AuthorizedKeysFile’ in sshd_config by cloud-init is not documented

The reporter would like to specify multiple keys files to add keys to which is legal for sshd.

This is an option to sshd_config which cloud-init is parsing but not handling properly.
Developers of cloud-init should determine the desired behavior, implement it, add tests, and document it.

Robert C Jennings (rcj) wrote :

The second patch should be fine (it uses shlex to split on whitespace the same as sshd would). The shlex docs do state that unicode support doesn't show up until python2.7[1]. Additionally, we would want whitespace_split = True for shlex.

[1] https://docs.python.org/2/library/shlex.html

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers