Wrong access permissions of authorized keys directory when using root-owned location
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
cloud-init |
Expired
|
Medium
|
Unassigned |
Bug Description
When using a central, root-owned directory to store ssh keys, cloud-init changes the permissions of the key directory which renders the keys unusable.
I'm using a similar approach as described here:
https:/
MOVING SSH KEYS TO A ROOT-OWNED LOCATION
but I'm using the config
AuthorizedK
In the original image, the permissions of the keys directory /etc/ssh/keys are 0755 - owned by root:root. It contains all the keys of the users. All keys have 0644 permissions and are also owned by root:root. (The background: Users are not allowed to change their ssh keys.)
After the machine boots and cloud-init finishes, the permissions of the key directory /etc/ssh/keys is 0700 and it is impossible to use key-authentication, because sshd cannot access the key files.
IMHO the reason for this is, that cloud-init changes the permission of the keys directory
https:/
which is wrong in this use case.
Thanks for filing a bug.
It's not clear to me why sshd can't read /etc/ssh/keys with mode 0700 but it can read /home/%u/.ssh which is 0700.
One possibility would be for cloud-init to skip setting mode on the directory if it already exists; you mentioned that the original image already contained this directory.