commit 16a3ae7ceed3f07746b95dcca6f30f5d1ef5bb4f (HEAD -> bug/1641574-authorizedkeysfile-none, smoser/bug/1641574-authorizedkeysfile-none) Author: Scott Moser Date: Mon Nov 21 10:28:55 2016 -0500 ssh: do not write file named 'none' when AuthorizedKeysFile=none. If AuthorizedKeysFile == "none", then there should not be a file written. Note, this is only partial support as realisitically to do this, the user would need to support AuthorizedKeysCommandUser and AuthorizedKeysCommand LP: #1641574 diff --git a/cloudinit/ssh_util.py b/cloudinit/ssh_util.py index b95b956..036cb00 100644 --- a/cloudinit/ssh_util.py +++ b/cloudinit/ssh_util.py @@ -222,11 +222,14 @@ def extract_authorized_keys(username): auth_key_fn = ssh_cfg.get("authorizedkeysfile", '').strip() if not auth_key_fn: auth_key_fn = "%h/.ssh/authorized_keys" - auth_key_fn = auth_key_fn.replace("%h", pw_ent.pw_dir) - auth_key_fn = auth_key_fn.replace("%u", username) - auth_key_fn = auth_key_fn.replace("%%", '%') - if not auth_key_fn.startswith('/'): - auth_key_fn = os.path.join(pw_ent.pw_dir, auth_key_fn) + if auth_key_fn.lower() == "none": + return None, None + else: + auth_key_fn = auth_key_fn.replace("%h", pw_ent.pw_dir) + auth_key_fn = auth_key_fn.replace("%u", username) + auth_key_fn = auth_key_fn.replace("%%", '%') + if not auth_key_fn.startswith('/'): + auth_key_fn = os.path.join(pw_ent.pw_dir, auth_key_fn) except (IOError, OSError): # Give up and use a default key filename auth_key_fn = os.path.join(ssh_dir, 'authorized_keys') @@ -251,6 +254,10 @@ def setup_user_keys(keys, username, options=None): # Extract the old and make the new (auth_key_fn, auth_key_entries) = extract_authorized_keys(username) + if auth_key_fn is None: + LOG.warn("Parsed 'AuthorizedKeysFile' for user '%s' to be 'none'." + " Authorized keys will not be written.") + return with util.SeLinuxGuard(ssh_dir, recursive=True): content = update_authorized_keys(auth_key_entries, key_entries) util.ensure_dir(os.path.dirname(auth_key_fn), mode=0o700)