cloud-init: Output public ssh host key (for known_hosts)

Bug #893400 reported by Eric Hammond
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
cloud-init
Low
Scott Moser
cloud-init (Ubuntu)
Low
Unassigned

Bug Description

In bug #892554, Kees Cook (kees) makes a great suggestion that cloud-init could output the public ssh host keys to the console output. This could then be read by automated software outside of the instance and added to a known_hosts file using the IP address and/or hostname that the remote system wishes to use to connect to the instance.

As Scott Moser (smoser) points out, the existing ssh host key fingerprints should be left in the output in the current de facto standard format so as to not break any existing software or human processes that check this.

The new output should be added using a different set of public ssh host key delimiters (see proposed format below).

There is no need to require a cloud-init configuration option; this information should always be output. Extra information in the console output should not interfere with any existing programs as long as it is separate from the existing formatted information.

The simplest way to present the information might be to just output the contents of all public host keys. For example:

    cat /etc/ssh/ssh_host_*_key.pub

The client system would query the console output, select one of these ssh host keys, and add it to known_hosts, prepended by the IP address and/or hostnames that it wishes to use to connect to the instance.

Here's an example of what this might look like in the console output:

-----BEGIN PUBLIC SSH HOST KEYS-----
ssh-dss AAAAB3NzaC1kc3MAAACBAOx12z6/snxt5HWbRZNmvs/hH+5EXsLLKR4XnyH56EQFNmpxGy3O5qBNvNpt4GejLmFR6TJdMANwFhkOfUkLcotTpgm+z3nA4wFUZt23o2CjYvqHSx5pOON390XM6xHhXzlGlkip5XUVM4flNhwQNAvt+9bo3//OTtXEZ1ZZ2M8bAAAAFQDiJIlHJxNS2jOsiHIsm5g3Vl5JuwAAAIEAiZXdnPnupHa5EvqAmaa0Gdzqp1mcRm7a/ovQ/Oko/IByF0OqAEZtb3VevUOoC1HFBoYfcP1kRKdey/W7TyLJPYWt/ZuMdNmZSuPZt7U99WkRt+sGfOlTc2PnxbKzbC+dqcBpuVvjy7AJEngucUJ8lykrpR30Fo538KkSHcITf+QAAACBAONcYr7hoksk3BhtvxFKjXoqcwBiDxAuj+aq90oWsenWfStuOO84eg1tJhZNp0VFv9mICevICoY4P+3ZjD7SvTdq5Xk3Uw4wabgFE4rBwS4XrZMA9+O9/S8+b20h+pQSbfwZIZiULTjBP2I89acPExhmrApSpZ+ByqB3HvnKawG+ root@ip-10-32-30-193
ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBD3aGodGnmPfXEWBRKKVW/zkKP+vC/HPBmNg87gcLLx+WwT7UQgKxsZXVWhccs2BEwbvik/dlfcQX1Zby0ZSYgQ= root@ip-10-32-30-193
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC0I3L8UiDoF4LkzpJNHBDM2w9JFE6CbvmAQgW6+czbDOwvrFxQU2rw2HLLUOn+Z2WCE5AJSY7E7pxCrDo1v27hkVgaM6KqWks74vYxIkqfGCyf31y1N8QrmVCsAC74KFp9rhwP0uHmrN8XUIYFik8MoNphf+2aKWieJdZtzQGQ22mNNKDkP1yX3Uvb1QI+8d770dcIqr61AwkUBQgPgPyeii8W7r2+nq1lNQEnYts0N+13+40lEShnrRtsdKY6diEVs2uQId7VWw04lXOzWGi8oSWlunDWyRCQPtfvBFQtJ8AsivyZjmBuN9VJSDHLY1EQhXayygKfi6u6GKFVLZmd root@ip-10-32-30-193
-----END PUBLIC SSH HOST KEYS-----

And here's an example of what the client system might add to known_hosts:

50.16.12.209,ec2-50-16-12-209.compute-1.amazonaws.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBD3aGodGnmPfXEWBRKKVW/zkKP+vC/HPBmNg87gcLLx+WwT7UQgKxsZXVWhccs2BEwbvik/dlfcQX1Zby0ZSYgQ= root@ip-10-32-30-193

or with hashing:

|1|q0CnRd/EVpfAXEVMAi7fqx0lFaI=|8BrFOu2+GGRMKDS+1WiVG8xpwt0= ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBD3aGodGnmPfXEWBRKKVW/zkKP+vC/HPBmNg87gcLLx+WwT7UQgKxsZXVWhccs2BEwbvik/dlfcQX1Zby0ZSYgQ= root@ip-10-32-30-193

ProblemType: Bug
DistroRelease: Ubuntu 11.10
Package: cloud-init 0.6.1-0ubuntu22
ProcVersionSignature: User Name 3.0.0-12.20-virtual 3.0.4
Uname: Linux 3.0.0-12-virtual i686
ApportVersion: 1.23-0ubuntu3
Architecture: i386
Date: Tue Nov 22 00:12:40 2011
Ec2AMI: ami-a7f539ce
Ec2AMIManifest: (unknown)
Ec2AvailabilityZone: us-east-1a
Ec2InstanceType: m1.small
Ec2Kernel: aki-805ea7e9
Ec2Ramdisk: unavailable
PackageArchitecture: all
ProcEnviron:
 LANG=en_US.UTF-8
 SHELL=/bin/bash
SourcePackage: cloud-init
UpgradeStatus: No upgrade log present (probably fresh install)

Related branches

Revision history for this message
Eric Hammond (esh) wrote :
Revision history for this message
Scott Moser (smoser) wrote : Re: [Bug 893400] [NEW] cloud-init: Output machine usable public ssh host key (for known_hosts)

> The simplest way to present the information might be to just print out
> the first two fields of all public host keys. For example:
>
> cut -f1-2 -d' ' /etc/ssh/ssh_host_*_key.pub

I've not read anything other than the ssh-keygen manpage, but it says:
 -m key_format
    Specify a key format for the -i (import) or -e (export)
    conversion options. The supported key formats are: “RFC4716”
    (RFC4716/SSH2 public or private key), “PKCS8” (PEM PKCS8 public key)
    or “PEM” (PEM public key). The default conversion format is
    “RFC4716”.

I can't see a good reason not to use something that is widely documented
as opposed to inventing our own (even if the invention is very simple).
http://tools.ietf.org/html/rfc4716

Thoughts?

Scott Moser (smoser)
Changed in cloud-init (Ubuntu):
importance: Undecided → Low
status: New → Triaged
Changed in cloud-init:
status: New → Triaged
importance: Undecided → Low
Revision history for this message
Eric Hammond (esh) wrote : Re: cloud-init: Output machine usable public ssh host key (for known_hosts)

I've ammended the original example to use "cat" instead of "cut" as it looks like the specific number of fields in the key may vary for some older formats (rsa1) and it removes the objection that I invented anything. I had been hoping to exclude the comment field, but agree it's not worth the effort/risk.

The man page for sshd(8) documents the format for /etc/ssh/ssh_known_hosts and ~/.ssh/known_hosts in the "SSH_KNOWN_HOSTS FILE FORMAT" section. It includes the paragraphs:

    Bits, exponent, and modulus are taken directly from the RSA host key;
    they can be obtained, for example, from /etc/ssh/ssh_host_key.pub. The
    optional comment field continues to the end of the line, and is not used.

and::

    [generate lines in known_hosts] by a script, ssh-keyscan(1) or by taking
    /etc/ssh/ssh_host_key.pub and adding the host names at the front.

I suppose you could copy the information out of these files using ssh-keygen, but it converts the key to a different format.

I lean towards copying the public key file directly because:

 - It's easier to find and manipulate single lines in the console output, instead of the multi-line output of ssh-keygen.

 - The public key file contains exactly the format that we will drop into known_hosts, instead of having to convert the output of ssh-keygen back into something usable. (I'm not even sure what tool you use to do that, though on experimentation it looks like it's a process of cutting out headers, reassembling lines and adding the appropriate keytype string.)

Eric Hammond (esh)
description: updated
summary: - cloud-init: Output machine usable public ssh host key (for known_hosts)
+ cloud-init: Output public ssh host key (for known_hosts)
Scott Moser (smoser)
Changed in cloud-init:
assignee: nobody → Scott Moser (smoser)
status: Triaged → In Progress
Revision history for this message
Scott Moser (smoser) wrote :
Changed in cloud-init:
status: In Progress → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package cloud-init - 0.6.3~bzr497-0ubuntu1

---------------
cloud-init (0.6.3~bzr497-0ubuntu1) precise; urgency=low

  * New upstream snapshot.
    - cloud-config support for configuring apt-proxy
    - selection of local mirror based on presense of 'ubuntu-mirror' dns
      entry in local domain. (LP: #897688)
    - DataSourceEc2: more resilliant to slow metadata service (LP: #894279)
    - close stdin in all programs launched by cloud-init (LP: #903993)
    - revert management of /etc/hosts to 0.6.1 style (LP: #890501, LP: #871966)
    - write full ssh keys to console for easy machine consumption (LP: #893400)
    - put INSTANCE_ID environment variable in bootcmd scripts
    - add 'cloud-init-per' script for easily running things with a given freq
      (this replaced cloud-init-run-module)
    - support configuration of landscape-client via cloud-config (LP: #857366)
    - part-handlers now get base64 decoded content rather than 2xbase64 encoded
      in the payload parameter. (LP: #874342)
 -- Scott Moser <email address hidden> Thu, 22 Dec 2011 04:07:38 -0500

Changed in cloud-init (Ubuntu):
status: Triaged → Fix Released
Scott Moser (smoser)
Changed in cloud-init:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers