AuthorizedKeysFile in match block will prevent default user login

Bug #1508543 reported by Antoine Jacoutot
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
cloud-init
Confirmed
Low
Unassigned

Bug Description

Hi.

Consider the following sshd_config which is pretty standard with only an added "Match" block.

---------8<------------------------------------
<...>
Port 22
AuthorizedKeysFile %h/.ssh/authorized_keys
<...>
Match group foobar
    AuthorizedKeysFile /etc/ssh/authorizedkeys/%u
---------8<------------------------------------

When starting an instance pre-configured with the above sshd_config (in my case AWS EC2), cloud-init will parse /etc/ssh/sshd_config to know where it should put the public key of the default "ubuntu" user. The problem is that cloud-init is not an sshd_config parser and looking at the code it just do a line-by-line parsing.

In this case, it will pick up the AuthorizedKeysFile value that is in the Match block because it's the last one in the file and will end up putting the default user key under /etc/ssh/authorizedkeys/ubuntu, preventing login into the instance because from the sshd point of view, the correct key location for that user (which is *not* part of the "foobar" group) is $HOMEDIR/.ssh/authorized_keys.

The obvious workaround is to append the default AuthorizedKeysFile at the end of the file but it would have been nice to know it beforehand ;-)
I understand that line-by-line parsing is the easy way, but in the case of ssh it is very error-prone and can lead to unexpected behaviour...

Thanks.

Scott Moser (smoser)
Changed in cloud-init:
status: New → Confirmed
importance: Undecided → Low
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers