Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

cloud-init: Output public ssh host key (for known_hosts) #2224

Closed
ubuntu-server-builder opened this issue May 9, 2023 · 5 comments
Closed

cloud-init: Output public ssh host key (for known_hosts) #2224

ubuntu-server-builder opened this issue May 9, 2023 · 5 comments
Labels
launchpad Migrated from Launchpad

Comments

@ubuntu-server-builder
Copy link
Collaborator

This bug was originally filed in Launchpad as LP: #893400

Launchpad details 
affected_projects = ['cloud-init (Ubuntu)']
assignee = smoser
assignee_name = Scott Moser
date_closed = 2012-04-11T04:10:51.233469+00:00
date_created = 2011-11-22T00:39:55.943973+00:00
date_fix_committed = 2011-12-20T05:16:06.762255+00:00
date_fix_released = 2012-04-11T04:10:51.233469+00:00
id = 893400
importance = low
is_complete = True
lp_url = https://bugs.launchpad.net/cloud-init/+bug/893400
milestone = None
owner = smoser
owner_name = Scott Moser
private = False
status = fix_released
submitter = esh
submitter_name = Eric Hammond
tags = ['apport-bug', 'ec2-images', 'i386', 'oneiric']
duplicates = []

Launchpad user Eric Hammond(esh) wrote on 2011-11-22T00:39:55.943973+00:00

In bug #892554, Kees Cook (kees) makes a great suggestion that cloud-init could output the public ssh host keys to the console output. This could then be read by automated software outside of the instance and added to a known_hosts file using the IP address and/or hostname that the remote system wishes to use to connect to the instance.

As Scott Moser (smoser) points out, the existing ssh host key fingerprints should be left in the output in the current de facto standard format so as to not break any existing software or human processes that check this.

The new output should be added using a different set of public ssh host key delimiters (see proposed format below).

There is no need to require a cloud-init configuration option; this information should always be output. Extra information in the console output should not interfere with any existing programs as long as it is separate from the existing formatted information.

The simplest way to present the information might be to just output the contents of all public host keys. For example:

    cat /etc/ssh/ssh_host_*_key.pub

The client system would query the console output, select one of these ssh host keys, and add it to known_hosts, prepended by the IP address and/or hostnames that it wishes to use to connect to the instance.

Here's an example of what this might look like in the console output:

-----BEGIN PUBLIC SSH HOST KEYS-----
ssh-dss AAAAB3NzaC1kc3MAAACBAOx12z6/snxt5HWbRZNmvs/hH+5EXsLLKR4XnyH56EQFNmpxGy3O5qBNvNpt4GejLmFR6TJdMANwFhkOfUkLcotTpgm+z3nA4wFUZt23o2CjYvqHSx5pOON390XM6xHhXzlGlkip5XUVM4flNhwQNAvt+9bo3//OTtXEZ1ZZ2M8bAAAAFQDiJIlHJxNS2jOsiHIsm5g3Vl5JuwAAAIEAiZXdnPnupHa5EvqAmaa0Gdzqp1mcRm7a/ovQ/Oko/IByF0OqAEZtb3VevUOoC1HFBoYfcP1kRKdey/W7TyLJPYWt/ZuMdNmZSuPZt7U99WkRt+sGfOlTc2PnxbKzbC+dqcBpuVvjy7AJEngucUJ8lykrpR30Fo538KkSHcITf+QAAACBAONcYr7hoksk3BhtvxFKjXoqcwBiDxAuj+aq90oWsenWfStuOO84eg1tJhZNp0VFv9mICevICoY4P+3ZjD7SvTdq5Xk3Uw4wabgFE4rBwS4XrZMA9+O9/S8+b20h+pQSbfwZIZiULTjBP2I89acPExhmrApSpZ+ByqB3HvnKawG+ root@ip-10-32-30-193
ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBD3aGodGnmPfXEWBRKKVW/zkKP+vC/HPBmNg87gcLLx+WwT7UQgKxsZXVWhccs2BEwbvik/dlfcQX1Zby0ZSYgQ= root@ip-10-32-30-193
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC0I3L8UiDoF4LkzpJNHBDM2w9JFE6CbvmAQgW6+czbDOwvrFxQU2rw2HLLUOn+Z2WCE5AJSY7E7pxCrDo1v27hkVgaM6KqWks74vYxIkqfGCyf31y1N8QrmVCsAC74KFp9rhwP0uHmrN8XUIYFik8MoNphf+2aKWieJdZtzQGQ22mNNKDkP1yX3Uvb1QI+8d770dcIqr61AwkUBQgPgPyeii8W7r2+nq1lNQEnYts0N+13+40lEShnrRtsdKY6diEVs2uQId7VWw04lXOzWGi8oSWlunDWyRCQPtfvBFQtJ8AsivyZjmBuN9VJSDHLY1EQhXayygKfi6u6GKFVLZmd root@ip-10-32-30-193
-----END PUBLIC SSH HOST KEYS-----

And here's an example of what the client system might add to known_hosts:

50.16.12.209,ec2-50-16-12-209.compute-1.amazonaws.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBD3aGodGnmPfXEWBRKKVW/zkKP+vC/HPBmNg87gcLLx+WwT7UQgKxsZXVWhccs2BEwbvik/dlfcQX1Zby0ZSYgQ= root@ip-10-32-30-193

or with hashing:

|1|q0CnRd/EVpfAXEVMAi7fqx0lFaI=|8BrFOu2+GGRMKDS+1WiVG8xpwt0= ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBD3aGodGnmPfXEWBRKKVW/zkKP+vC/HPBmNg87gcLLx+WwT7UQgKxsZXVWhccs2BEwbvik/dlfcQX1Zby0ZSYgQ= root@ip-10-32-30-193

ProblemType: Bug
DistroRelease: Ubuntu 11.10
Package: cloud-init 0.6.1-0ubuntu22
ProcVersionSignature: User Name 3.0.0-12.20-virtual 3.0.4
Uname: Linux 3.0.0-12-virtual i686
ApportVersion: 1.23-0ubuntu3
Architecture: i386
Date: Tue Nov 22 00:12:40 2011
Ec2AMI: ami-a7f539ce
Ec2AMIManifest: (unknown)
Ec2AvailabilityZone: us-east-1a
Ec2InstanceType: m1.small
Ec2Kernel: aki-805ea7e9
Ec2Ramdisk: unavailable
PackageArchitecture: all
ProcEnviron:
 LANG=en_US.UTF-8
 SHELL=/bin/bash
SourcePackage: cloud-init
UpgradeStatus: No upgrade log present (probably fresh install)
@ubuntu-server-builder ubuntu-server-builder added the launchpad Migrated from Launchpad label May 9, 2023
@ubuntu-server-builder
Copy link
Collaborator Author

Launchpad user Eric Hammond(esh) wrote on 2011-11-22T00:39:55.943973+00:00

Launchpad attachments: Dependencies.txt

@ubuntu-server-builder
Copy link
Collaborator Author

Launchpad user Scott Moser(smoser) wrote on 2011-11-22T01:42:56+00:00

The simplest way to present the information might be to just print out
the first two fields of all public host keys. For example:

cut -f1-2 -d' ' /etc/ssh/ssh_host_*_key.pub

I've not read anything other than the ssh-keygen manpage, but it says:
-m key_format
Specify a key format for the -i (import) or -e (export)
conversion options. The supported key formats are: “RFC4716”
(RFC4716/SSH2 public or private key), “PKCS8” (PEM PKCS8 public key)
or “PEM” (PEM public key). The default conversion format is
“RFC4716”.

I can't see a good reason not to use something that is widely documented
as opposed to inventing our own (even if the invention is very simple).
http://tools.ietf.org/html/rfc4716

Thoughts?

@ubuntu-server-builder
Copy link
Collaborator Author

Launchpad user Eric Hammond(esh) wrote on 2011-11-22T03:03:42.470234+00:00

I've ammended the original example to use "cat" instead of "cut" as it looks like the specific number of fields in the key may vary for some older formats (rsa1) and it removes the objection that I invented anything. I had been hoping to exclude the comment field, but agree it's not worth the effort/risk.

The man page for sshd(8) documents the format for /etc/ssh/ssh_known_hosts and ~/.ssh/known_hosts in the "SSH_KNOWN_HOSTS FILE FORMAT" section. It includes the paragraphs:

Bits, exponent, and modulus are taken directly from the RSA host key;
they can be obtained, for example, from /etc/ssh/ssh_host_key.pub.  The
optional comment field continues to the end of the line, and is not used.

and::

[generate lines in known_hosts] by a script, ssh-keyscan(1) or by taking
/etc/ssh/ssh_host_key.pub and adding the host names at the front.

I suppose you could copy the information out of these files using ssh-keygen, but it converts the key to a different format.

I lean towards copying the public key file directly because:

  • It's easier to find and manipulate single lines in the console output, instead of the multi-line output of ssh-keygen.

  • The public key file contains exactly the format that we will drop into known_hosts, instead of having to convert the output of ssh-keygen back into something usable. (I'm not even sure what tool you use to do that, though on experimentation it looks like it's a process of cutting out headers, reassembling lines and adding the appropriate keytype string.)

@ubuntu-server-builder
Copy link
Collaborator Author

Launchpad user Scott Moser(smoser) wrote on 2011-12-20T05:16:06.194633+00:00

fix-committed in cloud-init trunk at http://bazaar.launchpad.net/~cloud-init-dev/cloud-init/trunk/revision/493 .

@ubuntu-server-builder
Copy link
Collaborator Author

Launchpad user Launchpad Janitor(janitor) wrote on 2011-12-22T09:10:13.291010+00:00

This bug was fixed in the package cloud-init - 0.6.3~bzr497-0ubuntu1

cloud-init (0.6.3~bzr497-0ubuntu1) precise; urgency=low

  • New upstream snapshot.
    • cloud-config support for configuring apt-proxy
    • selection of local mirror based on presense of 'ubuntu-mirror' dns
      entry in local domain. (LP: #897688)
    • DataSourceEc2: more resilliant to slow metadata service (LP: #894279)
    • close stdin in all programs launched by cloud-init (LP: #903993)
    • revert management of /etc/hosts to 0.6.1 style (LP: #890501, LP: #871966)
    • write full ssh keys to console for easy machine consumption (LP: #893400)
    • put INSTANCE_ID environment variable in bootcmd scripts
    • add 'cloud-init-per' script for easily running things with a given freq
      (this replaced cloud-init-run-module)
    • support configuration of landscape-client via cloud-config (LP: #857366)
    • part-handlers now get base64 decoded content rather than 2xbase64 encoded
      in the payload parameter. (LP: #874342)
      -- Scott Moser smoser@ubuntu.com Thu, 22 Dec 2011 04:07:38 -0500

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
launchpad Migrated from Launchpad
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@ubuntu-server-builder