After Cloud-Init is completed, an error is reported when the sshd service is restarted.
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
cloud-init |
Fix Released
|
High
|
Unassigned |
Bug Description
I tested this issue on multiple versions, I found that cloud-init 21.4 is ok, cloud-init 22.2 and 23.1 is not ok.
The following error information is displayed for the sshd service:
Mar 11 17:17:53 openEuler sshd[2232]: @@@@@@@
Mar 11 17:17:53 openEuler sshd[2232]: @ WARNING: UNPROTECTED PRIVATE KEY FILE! @
Mar 11 17:17:53 openEuler sshd[2232]: @@@@@@@
Mar 11 17:17:53 openEuler sshd[2232]: Permissions 0640 for '/etc/ssh/
Mar 11 17:17:53 openEuler sshd[2232]: It is required that your private key files are NOT accessible by others.
Mar 11 17:17:53 openEuler sshd[2232]: This private key will be ignored.
Mar 11 17:17:53 openEuler sshd[2232]: Unable to load host key "/etc/ssh/
Mar 11 17:17:53 openEuler sshd[2232]: Unable to load host key: /etc/ssh/
Mar 11 17:17:53 openEuler sshd[2232]: @@@@@@@
Mar 11 17:17:53 openEuler sshd[2232]: @ WARNING: UNPROTECTED PRIVATE KEY FILE! @
Mar 11 17:17:53 openEuler sshd[2232]: @@@@@@@
Mar 11 17:17:53 openEuler sshd[2232]: Permissions 0640 for '/etc/ssh/
Mar 11 17:17:53 openEuler sshd[2232]: It is required that your private key files are NOT accessible by others.
Mar 11 17:17:53 openEuler sshd[2232]: This private key will be ignored.
Mar 11 17:17:53 openEuler sshd[2232]: Unable to load host key "/etc/ssh/
Mar 11 17:17:53 openEuler sshd[2232]: Unable to load host key: /etc/ssh/
Mar 11 17:17:53 openEuler sshd[2232]: sshd: no hostkeys available -- exiting.
At the same time, I found that the key file permission generated by the sshd service is 0o400, But the file permission generated by cloud-init cc_ssh is 0o644 (publibc key) and 0o640 (private key). Should cloud-init be consistent with sshd?
[root@openEuler ~]# cd /etc/ssh/
[root@openEuler ssh]# ll ssh_host_*
-r--------. 1 root ssh_keys 480 Mar 11 15:57 ssh_host_ecdsa_key
-r--------. 1 root root 162 Mar 11 15:57 ssh_host_
-r--------. 1 root ssh_keys 387 Mar 11 15:57 ssh_host_
-r--------. 1 root root 82 Mar 11 15:57 ssh_host_
-r--------. 1 root ssh_keys 2578 Mar 11 15:57 ssh_host_rsa_key
-r--------. 1 root root 554 Mar 11 15:57 ssh_host_
After Cloud-Init is completed:
[root@openEuler ssh]# ll ssh_host_*
-rw-r-----. 1 root ssh_keys 1381 Mar 11 17:17 ssh_host_dsa_key
-rw-r--r--. 1 root root 604 Mar 11 17:17 ssh_host_
-rw-r-----. 1 root ssh_keys 505 Mar 11 17:17 ssh_host_ecdsa_key
-rw-r--r--. 1 root root 176 Mar 11 17:17 ssh_host_
-rw-r-----. 1 root ssh_keys 411 Mar 11 17:17 ssh_host_
-rw-r--r--. 1 root root 96 Mar 11 17:17 ssh_host_
-rw-r-----. 1 root ssh_keys 2602 Mar 11 17:17 ssh_host_rsa_key
-rw-r--r--. 1 root root 568 Mar 11 17:17 ssh_host_
description: | updated |
Changed in cloud-init: | |
status: | Incomplete → Triaged |
importance: | Undecided → High |
Changed in cloud-init: | |
status: | Triaged → Fix Committed |
This should be fixed in https:/ /github. com/canonical/ cloud-init/ pull/1971 . It is available in the 23.1.1 upstream release as well as the Ubuntu Lunar development release, and in the -proposed pocket of the remaining Ubuntu series and should hit -updates within the next week or so.
I'm going to set this Incomplete for now, but please let me know if this fixes your problem.