juju-core

Joyent provider uploads user's private ssh key by default

Bug #1415671 reported by Tim Penhey on 2015-01-28

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	juju-core	Fix Released	High	Nate Finch	juju-core 1.23-beta1

Bug Description

By default, the joyent provider uploads the user's private ssh key. We shouldn't do this.

We should default to registering a new ssh key and have one for the sole purpose of dealing with joyent.

Tags:

CVE References

2015-1316

Ian Booth (wallyworld) on 2015-01-28

Changed in juju-core:
assignee:	Ian Booth (wallyworld) → nobody

Alexis Bruemmer (alexis-bruemmer) on 2015-01-29

Changed in juju-core:
assignee:	nobody → Nate Finch (natefinch)
milestone:	none → 1.23

Revision history for this message

Marc Deslauriers (mdeslaur) wrote on 2015-02-25:

This is CVE-2015-1316

Ian Booth (wallyworld) on 2015-03-03

Changed in juju-core:
milestone:	1.23 → 1.23-beta1
importance:	High → Critical

Revision history for this message

Nate Finch (natefinch) wrote on 2015-03-04:

We can't really register a new key with joyent (we'd have to authenticate with joyent in order to upload our generated key... it's kind of a chicken and egg problem).

I think the best answer is just to do what we do with the rest of the providers -you need to have the auth in the config file, and we return an error if it's not there.

Ian Booth (wallyworld) on 2015-03-04

Changed in juju-core:
status:	Triaged → In Progress

Ian Booth (wallyworld) on 2015-03-05

Changed in juju-core:
status:	In Progress → Fix Committed

Curtis Hovey (sinzui) on 2015-03-09

Changed in juju-core:
importance:	Critical → High

Curtis Hovey (sinzui) on 2015-03-20

Changed in juju-core:
status:	Fix Committed → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.