cloud-init

  1. Bug #2011291
  2. Activity log

Activity log for bug #2011291

Date Who What changed Old value New value Message
2023-03-11 09:32:50 shixuantong bug added bug
2023-03-11 09:34:25 shixuantong description I tested this issue on multiple versions, I found that cloud-init 21.4 is ok, cloud-init 22.2 and 23.1 is not ok. The following error information is displayed for the sshd service: Mar 11 17:17:53 openEuler sshd[2232]: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ Mar 11 17:17:53 openEuler sshd[2232]: @ WARNING: UNPROTECTED PRIVATE KEY FILE! @ Mar 11 17:17:53 openEuler sshd[2232]: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ Mar 11 17:17:53 openEuler sshd[2232]: Permissions 0640 for '/etc/ssh/ssh_host_rsa_key' are too open. Mar 11 17:17:53 openEuler sshd[2232]: It is required that your private key files are NOT accessible by others. Mar 11 17:17:53 openEuler sshd[2232]: This private key will be ignored. Mar 11 17:17:53 openEuler sshd[2232]: Unable to load host key "/etc/ssh/ssh_host_rsa_key": bad permissions Mar 11 17:17:53 openEuler sshd[2232]: Unable to load host key: /etc/ssh/ssh_host_rsa_key Mar 11 17:17:53 openEuler sshd[2232]: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ Mar 11 17:17:53 openEuler sshd[2232]: @ WARNING: UNPROTECTED PRIVATE KEY FILE! @ Mar 11 17:17:53 openEuler sshd[2232]: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ Mar 11 17:17:53 openEuler sshd[2232]: Permissions 0640 for '/etc/ssh/ssh_host_ed25519_key' are too open. Mar 11 17:17:53 openEuler sshd[2232]: It is required that your private key files are NOT accessible by others. Mar 11 17:17:53 openEuler sshd[2232]: This private key will be ignored. Mar 11 17:17:53 openEuler sshd[2232]: Unable to load host key "/etc/ssh/ssh_host_ed25519_key": bad permissions Mar 11 17:17:53 openEuler sshd[2232]: Unable to load host key: /etc/ssh/ssh_host_ed25519_key Mar 11 17:17:53 openEuler sshd[2232]: sshd: no hostkeys available -- exiting. At the same time, I found that the key file permission generated by the sshd service is 0o400, But the file permission generated by cloud-init cc_ssh is 0o644 (publibc key) and 0o640 (private key). Should cloud-init be consistent with sshd? [root@openEuler ~]# cd /etc/ssh/ [root@openEuler ssh]# ll ssh_host_* total 564 -r--------. 1 root ssh_keys 480 Mar 11 15:57 ssh_host_ecdsa_key -r--------. 1 root root 162 Mar 11 15:57 ssh_host_ecdsa_key.pub -r--------. 1 root ssh_keys 387 Mar 11 15:57 ssh_host_ed25519_key -r--------. 1 root root 82 Mar 11 15:57 ssh_host_ed25519_key.pub -r--------. 1 root ssh_keys 2578 Mar 11 15:57 ssh_host_rsa_key -r--------. 1 root root 554 Mar 11 15:57 ssh_host_rsa_key.pub After Cloud-Init is completed: [root@openEuler ssh]# ll ssh_host_* -rw-r-----. 1 root ssh_keys 1381 Mar 11 17:17 ssh_host_dsa_key -rw-r--r--. 1 root root 604 Mar 11 17:17 ssh_host_dsa_key.pub -rw-r-----. 1 root ssh_keys 505 Mar 11 17:17 ssh_host_ecdsa_key -rw-r--r--. 1 root root 176 Mar 11 17:17 ssh_host_ecdsa_key.pub -rw-r-----. 1 root ssh_keys 411 Mar 11 17:17 ssh_host_ed25519_key -rw-r--r--. 1 root root 96 Mar 11 17:17 ssh_host_ed25519_key.pub -rw-r-----. 1 root ssh_keys 2602 Mar 11 17:17 ssh_host_rsa_key -rw-r--r--. 1 root root 568 Mar 11 17:17 ssh_host_rsa_key.pub I tested this issue on multiple versions, I found that cloud-init 21.4 is ok, cloud-init 22.2 and 23.1 is not ok. The following error information is displayed for the sshd service: Mar 11 17:17:53 openEuler sshd[2232]: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ Mar 11 17:17:53 openEuler sshd[2232]: @ WARNING: UNPROTECTED PRIVATE KEY FILE! @ Mar 11 17:17:53 openEuler sshd[2232]: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ Mar 11 17:17:53 openEuler sshd[2232]: Permissions 0640 for '/etc/ssh/ssh_host_rsa_key' are too open. Mar 11 17:17:53 openEuler sshd[2232]: It is required that your private key files are NOT accessible by others. Mar 11 17:17:53 openEuler sshd[2232]: This private key will be ignored. Mar 11 17:17:53 openEuler sshd[2232]: Unable to load host key "/etc/ssh/ssh_host_rsa_key": bad permissions Mar 11 17:17:53 openEuler sshd[2232]: Unable to load host key: /etc/ssh/ssh_host_rsa_key Mar 11 17:17:53 openEuler sshd[2232]: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ Mar 11 17:17:53 openEuler sshd[2232]: @ WARNING: UNPROTECTED PRIVATE KEY FILE! @ Mar 11 17:17:53 openEuler sshd[2232]: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ Mar 11 17:17:53 openEuler sshd[2232]: Permissions 0640 for '/etc/ssh/ssh_host_ed25519_key' are too open. Mar 11 17:17:53 openEuler sshd[2232]: It is required that your private key files are NOT accessible by others. Mar 11 17:17:53 openEuler sshd[2232]: This private key will be ignored. Mar 11 17:17:53 openEuler sshd[2232]: Unable to load host key "/etc/ssh/ssh_host_ed25519_key": bad permissions Mar 11 17:17:53 openEuler sshd[2232]: Unable to load host key: /etc/ssh/ssh_host_ed25519_key Mar 11 17:17:53 openEuler sshd[2232]: sshd: no hostkeys available -- exiting. At the same time, I found that the key file permission generated by the sshd service is 0o400, But the file permission generated by cloud-init cc_ssh is 0o644 (publibc key) and 0o640 (private key). Should cloud-init be consistent with sshd? [root@openEuler ~]# cd /etc/ssh/ [root@openEuler ssh]# ll ssh_host_* -r--------. 1 root ssh_keys 480 Mar 11 15:57 ssh_host_ecdsa_key -r--------. 1 root root 162 Mar 11 15:57 ssh_host_ecdsa_key.pub -r--------. 1 root ssh_keys 387 Mar 11 15:57 ssh_host_ed25519_key -r--------. 1 root root 82 Mar 11 15:57 ssh_host_ed25519_key.pub -r--------. 1 root ssh_keys 2578 Mar 11 15:57 ssh_host_rsa_key -r--------. 1 root root 554 Mar 11 15:57 ssh_host_rsa_key.pub After Cloud-Init is completed: [root@openEuler ssh]# ll ssh_host_* -rw-r-----. 1 root ssh_keys 1381 Mar 11 17:17 ssh_host_dsa_key -rw-r--r--. 1 root root 604 Mar 11 17:17 ssh_host_dsa_key.pub -rw-r-----. 1 root ssh_keys 505 Mar 11 17:17 ssh_host_ecdsa_key -rw-r--r--. 1 root root 176 Mar 11 17:17 ssh_host_ecdsa_key.pub -rw-r-----. 1 root ssh_keys 411 Mar 11 17:17 ssh_host_ed25519_key -rw-r--r--. 1 root root 96 Mar 11 17:17 ssh_host_ed25519_key.pub -rw-r-----. 1 root ssh_keys 2602 Mar 11 17:17 ssh_host_rsa_key -rw-r--r--. 1 root root 568 Mar 11 17:17 ssh_host_rsa_key.pub
2023-03-13 13:27:50 James Falcon cloud-init: status New Incomplete
2023-03-14 15:25:30 James Falcon cloud-init: status Incomplete Triaged
2023-03-14 15:25:33 James Falcon cloud-init: importance Undecided High
2023-04-02 17:30:42 James Falcon cloud-init: status Triaged Fix Committed
2023-05-12 22:02:49 James Falcon bug watch added https://github.com/canonical/cloud-init/issues/4088
2023-05-25 00:05:38 Chad Smith cloud-init: status Fix Committed Fix Released