Ubuntu
cloud-init package

spaces in comment break cloud-init disabling of root ssh

Bug #1220273 reported by Scott Moser
44
This bug affects 4 people
Affects Status Importance Assigned to Milestone
cloud-init (Ubuntu)
Fix Released
Medium
Unassigned
Precise
Won't Fix
Medium
Unassigned
Quantal
Won't Fix
Medium
Unassigned
Raring
Fix Released
Medium
Unassigned
Saucy
Fix Released
Medium
Unassigned

Bug Description

Under bug 833499 we changed cloud-init to disable keypairs inserted by nova into /root/.ssh/authorized_keys.
It seems that that disabling is broken if the comment portion of an ssh authorized key entry has a space in it. This is fixed in 13.04 and 13.10, but present in 12.04 and 12.10.

Normally, the comment portion of a keyname.pub entry would not have spaces in it, but those generated by the horizon UI and by 'nova keypair-add' do.

Reproducing the bug is easy enough:

 $ ssh-keygen -N '' -C 'My Comment Has Spaces' -f /tmp/testkey -t rsa
 $ cat /tmp/testkey.pub
 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC0nX6k7RdiFnK4OJOFNQuPIx/eLehnvO9DwrT7Hw9qTKxBPUChHZKkikATaD3DqNgGFgcQd1BxcY2NDwaop3tKLS36d1PGVfAyXjIhA1hnc1fkMP4dxn9u066CC/RQv2esNUTA+ItW2+9RbQNFRxMCxNRTyXlyWDzIToFjekXz3S9outDwQWcRV+4X0IbP0iSl1pD+7dxhHveaEVHA/QWOkY1yiOz+5Xqn75+LomqplF9tkQP5zvjnoKyGnDh9anaYxMQXOkpPpRaS4R2FuX6+uXo1o+MFze/Z1xqTVBOEqbutt4HmHS5rTa0lZNiTDt+JtKzo4RcAL4v+0RutIp+t My Comment Has Spaces

 $ nova keypair-show mytestkey | grep Public
 Public key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC0nX6k7RdiFnK4OJOFNQuPIx/eLehnvO9DwrT7Hw9qTKxBPUChHZKkikATaD3DqNgGFgcQd1BxcY2NDwaop3tKLS36d1PGVfAyXjIhA1hnc1fkMP4dxn9u066CC/RQv2esNUTA+ItW2+9RbQNFRxMCxNRTyXlyWDzIToFjekXz3S9outDwQWcRV+4X0IbP0iSl1pD+7dxhHveaEVHA/QWOkY1yiOz+5Xqn75+LomqplF9tkQP5zvjnoKyGnDh9anaYxMQXOkpPpRaS4R2FuX6+uXo1o+MFze/Z1xqTVBOEqbutt4HmHS5rTa0lZNiTDt+JtKzo4RcAL4v+0RutIp+t My Comment Has Spaces

$ IMAGE_ID=033cc5c7-c485-4dac-b5cd-d7e33901be63 inst-20130903-141703
$ nova boot --key-name=mytestkey --flavor=m1.tiny --image=$IMAGE_ID mytest-instance

...
$ ssh -i /tmp/mytestkey root@$IP

I've verified that the following are broken:
 ubuntu-released/ubuntu-precise-12.04-amd64-server-20130827-disk1.img
 ubuntu-daily/ubuntu-quantal-daily-amd64-server-20130828.3-disk1.img

But that cloud-init inside of these images is resilient:
 ubuntu-daily/ubuntu-raring-daily-amd64-server-20130827-disk1.img
 ubuntu-daily/ubuntu-saucy-daily-amd64-server-20130830-disk1.img

Related bugs:
 * bug 833499: virt/disk.py unconditionally inserts public_keys into /root/.ssh/authorized_keys

ProblemType: Bug
DistroRelease: Ubuntu 12.04
Package: cloud-init 0.6.3-0ubuntu1.6
ProcVersionSignature: Ubuntu 3.2.0-52.78-virtual 3.2.48
Uname: Linux 3.2.0-52-virtual x86_64
ApportVersion: 2.0.1-0ubuntu17.4
Architecture: amd64
Date: Tue Sep 3 14:25:35 2013
Ec2AMI: ami-0000049a
Ec2AMIManifest: FIXME
Ec2AvailabilityZone: nova
Ec2InstanceType: m1.tiny
Ec2Kernel: unavailable
Ec2Ramdisk: unavailable
MarkForUpload: True
PackageArchitecture: all
ProcEnviron:
 TERM=screen
 PATH=(custom, no user)
 LANG=en_US.UTF-8
 SHELL=/bin/bash
SourcePackage: cloud-init
UpgradeStatus: No upgrade log present (probably fresh install)

Revision history for this message
Scott Moser (smoser) wrote :
information type: Public → Private Security
Changed in cloud-init (Ubuntu Raring):
status: New → Fix Released
Changed in cloud-init (Ubuntu Quantal):
status: New → Triaged
Changed in cloud-init (Ubuntu Precise):
status: New → Triaged
Changed in cloud-init (Ubuntu Raring):
importance: Undecided → Medium
Changed in cloud-init (Ubuntu Quantal):
importance: Undecided → Medium
Changed in cloud-init (Ubuntu Precise):
importance: Undecided → Medium
Revision history for this message
Scott Moser (smoser) wrote :

Just a comment, if we did change this, we potentially break users of 12.04 who had spaces in their comments and then ssh'd in as root.

Revision history for this message
Scott Moser (smoser) wrote :

I've marked this non-private as it isn't a huge security risk, and since I didn't initially mark it as such, it is publicly googlable. Ie:
http://<email address hidden>/msg99560.html

See comment 2, there is reason to not fix this issue in 12.04 as it is a behavioral change

information type: Private Security → Public
Revision history for this message
Rolf Leggewie (r0lf) wrote :

quantal has seen the end of its life and is no longer receiving any updates. Marking the quantal task for this ticket as "Won't Fix".

Changed in cloud-init (Ubuntu Quantal):
status: Triaged → Won't Fix
Revision history for this message
Steve Langasek (vorlon) wrote :

The Precise Pangolin has reached end of life, so this bug will not be fixed for that release

Changed in cloud-init (Ubuntu Precise):
status: Triaged → Won't Fix
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.