config-ssh module doesn't respect Match conditions in sshd_config

[ubuntu-server-builder]

This bug was originally filed in Launchpad as LP: #1915772

Launchpad details

affected_projects = []
assignee = None
assignee_name = None
date_closed = None
date_created = 2021-02-16T04:32:44.605773+00:00
date_fix_committed = None
date_fix_released = None
id = 1915772
importance = low
is_complete = False
lp_url = https://bugs.launchpad.net/cloud-init/+bug/1915772
milestone = None
owner = manoli-yiannakakis-roche
owner_name = Emmanuel Yiannakakis
private = False
status = triaged
submitter = manoli-yiannakakis-roche
submitter_name = Emmanuel Yiannakakis
tags = []
duplicates = []

Launchpad user Emmanuel Yiannakakis(manoli-yiannakakis-roche) wrote on 2021-02-16T04:32:44.605773+00:00

Summary
Per https://www.freebsd.org/cgi/man.cgi?sshd_config(5)

Match Introduces a conditional block. If all of the criteria on the Match line are satisfied, the keywords on the
following lines override those set in the global section of the config file, until either anotherMatch line or the end of the
file. If a keyword appears in multiple Match blocks that are satisfied, only the first instance of the keyword is applied.

Say I have a Match setup for a group to use a special location of an AuthorizedKeysFile, basically to move this out of the homedir these restricted users are jailed in.

Match Group my-special-group
    AuthorizedKeysFile /etc/ssh/authorized_keys/%u
Relevant Code:

cloud-init/cloudinit/ssh_util.py

Line 274 in 09193e5

def setup_user_keys(keys, username, options=None):

and ultimately lies in the implementation at

cloud-init/cloudinit/ssh_util.py

Line 344 in 09193e5

def parse_ssh_config_map(fname):

the way parse_ssh_config_map parses the file, the last AuthorizedKeysFile entry wins. I suggest just stop reading the file if you get to a Match stanza (either here or in parse_ssh_config_lines). If you get really fancy, you could see if the username you're looking up is under an explicit Match User ec2-user stanza. But as it is now, it's an all-or-nothing where my AuthorizedKeysFile wins.

Process
Setup an sshd_config utilizing a Match option, like

Match Group my-special-group
    AuthorizedKeysFile /etc/ssh/authorized_keys/%u
and then have cloud-init do it's ssh configuration

Current and expected result
Current: the last AuthorizedKeysFile statement wins, regardless if it's at the global level or underneath a Match
Expected: cloud-init only respects the globally defined AuthorizedKeysFile, or falls back to the standard homedir location

Screenshot
n/a

[ubuntu-server-builder]

Launchpad user Paride Legovini(paride) wrote on 2021-03-05T10:20:04.645582+00:00

Hello Emmanual and thanks for your bug report. You are right: the current implementation doesn't allow for the more fine-grained setup you outlined using Match stanzas. I'm marking this report as Triaged as I think the issue is well understood; feel free to change the status back to New if you think that further discussion is needed. Thanks!