cloud-init

SSH keys not updated correctly when sshd_config "AuthorizedKeysFile" contains multiple values

Bug #1404060 reported by Alex Gottschalk
50
This bug affects 9 people
Affects Status Importance Assigned to Milestone
cloud-init
Expired
Medium
Unassigned
cloud-init 0.7.10

Bug Description

I have overridden the AuthorizedKeysFile stanza in my site's sshd_config, as follows:

AuthorizedKeysFile %h/.ssh/authorized_keys /etc/ssh/authorized_keys/%u

This allows two locations for authorized keys, which is useful for us because reasons.

It looks like cloud-init is incorrectly parsing this line to determine where to drop user keys, as I'm ending up with the following file:

"/home/ubuntu/.ssh/authorized_keys /etc/ssh/authorized_keys/ubuntu" (note that the space is part of the directory name under .ssh)

I think cloud-init should probably treat whitespace as a field separator here, and append keys to all AuthorizedKeysFile entries listed.

Related branches

~amzn-cmiller/cloud-init:ssh_authorizedkeys
On hold for merging into cloud-init:master
Server Team CI bot: Needs Fixing (continuous-integration)
Scott Moser: Needs Information
Andrew Jorgensen: Pending requested
Diff: 137 lines (+91/-1)
2 files modified
cloudinit/ssh_util.py (+27/-0)
tests/unittests/test_sshutil.py (+64/-1)
~yeazelm/cloud-init:ssh_authorizedkeys
Rejected for merging into cloud-init:master
Andrew Jorgensen (community): Needs Fixing
Server Team CI bot: Needs Fixing (continuous-integration)
Scott Moser: Needs Fixing
Diff: 99 lines (+49/-2)
3 files modified
cloudinit/sources/DataSourceAzure.py (+1/-1)
cloudinit/ssh_util.py (+7/-0)
tests/unittests/test_sshutil.py (+41/-1)
Alex Gottschalk (alex-gottschalk)
summary: - authorized_keys not updated when sshd_config "AuthorizedKeysFile"
+ SSH keys not updated correctly when sshd_config "AuthorizedKeysFile"
contains multiple values
Revision history for this message
Alex Gottschalk (alex-gottschalk) wrote :

While a very crude workaround, this is good enough for my purposes.

Revision history for this message
Alex Gottschalk (alex-gottschalk) wrote :

Improved patch using shlex.split for proper handling of shell-style quoting/escaping of whitespace.

Revision history for this message
Ted Wexler (twexler) wrote :

This bug partially effects me. I've got 2 of those stanzas in /etc/sshd_config, and it always chooses the last one.

Revision history for this message
Edmund Rhudy (erhudy) wrote :

Adding a vote to this bug, because running into this was pretty annoying.

Revision history for this message
karena (trawler) wrote :

Yes, would very much like to see this bug fixed. I've also added a bug report (1600223) bug closed it as a duplicate after finding this report. Would very much like to see this bug fixed.

Scott Moser (smoser)
Changed in cloud-init:
status: New → Confirmed
importance: Undecided → Medium
status: Confirmed → Triaged
milestone: none → 0.7.7
Scott Moser (smoser)
Changed in cloud-init:
milestone: 0.7.7 → 0.7.8
Scott Moser (smoser)
Changed in cloud-init:
milestone: 0.7.8 → 0.7.9
Scott Moser (smoser)
Changed in cloud-init:
milestone: 0.7.9 → none
milestone: none → 0.7.10
Revision history for this message
Robert C Jennings (rcj) wrote :

Handling of ‘AuthorizedKeysFile’ in sshd_config by cloud-init is not documented

The reporter would like to specify multiple keys files to add keys to which is legal for sshd.

This is an option to sshd_config which cloud-init is parsing but not handling properly.
Developers of cloud-init should determine the desired behavior, implement it, add tests, and document it.

Revision history for this message
Robert C Jennings (rcj) wrote :

The second patch should be fine (it uses shlex to split on whitespace the same as sshd would). The shlex docs do state that unicode support doesn't show up until python2.7[1]. Additionally, we would want whitespace_split = True for shlex.

[1] https://docs.python.org/2/library/shlex.html

Revision history for this message
Rene Schumann (rene-schumann) wrote :

Bug still exist in package 19.3-41-gc4735dd3-0ubuntu1~18.04.1.
Line "AuthorizedKeysFile .ssh/authorized_keys2 .ssh/authorized_keys" in /etc/ssh/sshd_config leads to:

/root/.ssh/authorized_keys2 .ssh/
/root/.ssh/authorized_keys2 .ssh/authorized_keys
/home/ubuntu/.ssh/authorized_keys2 .ssh/
/home/ubuntu/.ssh/authorized_keys2 .ssh/authorized_keys

2020-01-11 09:10:14,682 - util.py[DEBUG]: Read 3541 bytes from /etc/ssh/sshd_config
2020-01-11 09:10:14,683 - util.py[DEBUG]: Writing to /home/ubuntu/.ssh/authorized_keys2 .ssh/authorized_keys - wb: [600] 389 bytes
2020-01-11 09:10:14,683 - util.py[DEBUG]: Changing the ownership of /home/ubuntu/.ssh/authorized_keys2 .ssh/authorized_keys to 1000:1000
2020-01-11 09:10:14,683 - util.py[DEBUG]: Reading from /etc/ssh/sshd_config (quiet=False)
2020-01-11 09:10:14,683 - util.py[DEBUG]: Read 3541 bytes from /etc/ssh/sshd_config
2020-01-11 09:10:14,683 - util.py[DEBUG]: Writing to /root/.ssh/authorized_keys2 .ssh/authorized_keys - wb: [600] 544 bytes
2020-01-11 09:10:14,684 - util.py[DEBUG]: Changing the ownership of /root/.ssh/authorized_keys2 .ssh/authorized_keys to 0:0
2020-01-11 09:10:14,684 - handlers.py[DEBUG]: finish: init-network/config-ssh: SUCCESS: config-ssh ran successfully

Revision history for this message
James Falcon (falcojr) wrote :

Tracked in Github Issues as https://github.com/canonical/cloud-init/issues/2513

Changed in cloud-init:
status: Triaged → Expired
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.