System should periodically refresh ssh keys that were obtained from SSO/store for local users

Bug #1646559 reported by Samuele Pedroni on 2016-12-01
70
This bug affects 13 people
Affects Status Importance Assigned to Milestone
snapd
Medium
Unassigned

Bug Description

atm the ssh keys obtained when a system is setup the first time are never updated automatically,

if they become invalid before a user can change them, even if new ones have been updated on SSO, the user will be blocked out.

Seth Arnold (seth-arnold) wrote :

I'm curious what would cause an ssh key to become invalid?

Thanks

Kyle Fazzari (kyrofa) wrote :

@Seth, there have been a few people that reported having DSA keys in SSO instead of RSA, but DSA isn't supported. So after the keys are fetched, users realize they can't login with them, so they upload RSA keys but Ubuntu Core never checks for an update.

Also, there's the possibility that the user's HD crashed and they lost their keys. This gives them a way back into the device if necessary.

Josh (joshmorel) wrote :

Also if I want to add a 2nd key via the SSO account its not clear how to do it. It doesn't happen automatically and I can't find any documentation on how to "sync" my Ubuntu Core with SSO to get the 2nd key. The only way to do this is manually via my original machine which doesn't seem right - see also this Q: http://askubuntu.com/questions/865334/cant-login-to-ubuntu-core-16-using-a-second-ssh-key

Robert May (robotmay) wrote :

This is a pretty important issue if using Ubuntu Core in a business setting, which is what I'm currently experimenting with. Being able to add/remove individual developer access to the devices is pretty handy security-wise. I can probably get around it for now, but it'd definitely be a nice feature to have.

Kyle Fazzari (kyrofa) on 2017-02-08
affects: snappy → snapd
Changed in snapd:
status: New → Confirmed
RoxD (roxd) wrote :

I was following instructions here: https://developer.ubuntu.com/core/get-started/kvm
but I screwed up the first time (came back later and password wasn't working - maybe I forgot it, maybe it didn't work)
so I generated a new key and uploaded it here: https://login.ubuntu.com/ssh-keys

yet the issue persisted and no password would work

additionally I tried to log in to ubuntu core w/o ssh and the default ubuntu:ubuntu was not working either

if there are any workarounds please let me know. I'm going to focus on getting into ubuntu core without ssh.

Lucas Magasweran (lucasrangit) wrote :

@roxd, My workaround was to mount the writable partition on a different Linux machine. There I was able to manually append the missing SSH public key(s) to /writable/user-data/username/.ssh/authorized_keys.

This worked on a WDLabs Nextcloud Box running Ubuntu Core 16 and Nextcloud 11.

Michael Vogt (mvo) on 2018-01-02
Changed in snapd:
importance: Undecided → Medium
status: Confirmed → Triaged
Nicholas Tyler Tindle (ntindle) wrote :

Is the intended behavior to auto update the keys using SSO?

summary: - should periodically refresh ssh keys that were obtained from SSO/store
- for local users
+ System should periodically refresh ssh keys that were obtained from
+ SSO/store for local users
Lucas Magasweran (lucasrangit) wrote :

@ntindle, yes.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers