cloud-init fails to disable ecdsa-sha2-nitp521 keys

[ubuntu-server-builder]

This bug was originally filed in Launchpad as LP: #1658174

Launchpad details

affected_projects = []
assignee = None
assignee_name = None
date_closed = 2017-09-23T02:14:55.844072+00:00
date_created = 2017-01-20T19:39:50.347585+00:00
date_fix_committed = 2017-01-24T17:01:50.214167+00:00
date_fix_released = 2017-09-23T02:14:55.844072+00:00
id = 1658174
importance = medium
is_complete = True
lp_url = https://bugs.launchpad.net/cloud-init/+bug/1658174
milestone = None
owner = larsks
owner_name = Lars Kellogg-Stedman
private = False
status = fix_released
submitter = larsks
submitter_name = Lars Kellogg-Stedman
tags = []
duplicates = []

Launchpad user Lars Kellogg-Stedman(larsks) wrote on 2017-01-20T19:39:50.347585+00:00

cloud-init adds ssh_authorized_keys to the default user fedora and to root but for root it disables the keys with a prefix command that echoes the helpful message:

'Please login as the user "fedora" rather than the user "root".'

However, if the key is of type ecdsa-sha2-nistp521, it is not parsed correctly, and the prefix command is not prepended.

This means that ECDSA keys can be used to login to root.

[ubuntu-server-builder]

Launchpad user Scott Moser(smoser) wrote on 2017-09-23T02:14:57.107614+00:00

This bug is believed to be fixed in cloud-init in 17.1. If this is still a problem for you, please make a comment and set the state back to New

Thank you.