Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

cc_ssh: parse_ssh_config_map does not take into account user-specific Match section overrides #3889

Open
ubuntu-server-builder opened this issue May 12, 2023 · 0 comments
Open

cc_ssh: parse_ssh_config_map does not take into account user-specific Match section overrides #3889

ubuntu-server-builder opened this issue May 12, 2023 · 0 comments
Labels
bug Something isn't working correctly launchpad Migrated from Launchpad

Comments

@ubuntu-server-builder
Copy link
Collaborator

This bug was originally filed in Launchpad as LP: #1935857

Launchpad details 
affected_projects = []
assignee = None
assignee_name = None
date_closed = None
date_created = 2021-07-12T17:55:13.369080+00:00
date_fix_committed = None
date_fix_released = None
id = 1935857
importance = low
is_complete = False
lp_url = https://bugs.launchpad.net/cloud-init/+bug/1935857
milestone = None
owner = chad.smith
owner_name = Chad Smith
private = False
status = triaged
submitter = chad.smith
submitter_name = Chad Smith
tags = []
duplicates = []

Launchpad user Chad Smith(chad.smith) wrote on 2021-07-12T17:55:13.369080+00:00

cloud-init 21.2

User-specific Match sections can be provided in /etc/ssh/sshd_config to override global ssh config default settings such as AuthorizedKeysFile.

cloud-init's parsing of sshd_config in ssh_util[1] is simplistic and treats each line in the sshd_config file as simple key/value pairs. Any Match sections defined below a global AuthorizedKeysFile setting will be overridden to the line containing an AuthorizedKeysFile definition, even if that definition should only be scoped to a specific user Match.

Here is an example adding a specific Match section which should only apply non-default AuthorizedKeysFile to the "custom" user, and how cloud-init incorrectly represents that content.

$ cat sshd_bad_parse.yaml <<EOF
#cloud-config
write_files:

  • path: /etc/ssh/sshd_config
    content: |
    AuthorizedKeysFile: .ssh/authorized_keys

    Inject custom user-specific match which should only affect custom user

    Match User custom
    AuthorizedKeysFile .ssh/unique_ubuntu_keyfile
    append: true
    users:
  • default
  • name: custom
    sudo: false
    ssh_authorized_keys:
    • "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDSL7uWGj8cgWyIOaspgKdVy0cKJ+UTjfv7jBOjG2H/GN8bJVXy72XAvnhM0dUM+CCs8FOf0YlPX+Frvz2hKInrmRhZVwRSL129PasD12MlI3l44u6IwS1o/W86Q+tkQYEljtqDOo0a+cOsaZkvUNzUyEXUwz/lmYa6G4hMKZH4NBj7nbAAF96wsMCoyNwbWryBnDYUr6wMbjRR1J9Pw7Xh7WRC73wy4Va2YuOgbD3V/5ZrFPLbWZW/7TFXVrql04QVbyei4aiFR5n//GvoqwQDNe58LmbzX/xvxyKJYdny2zXmdAhMxbrpFQsfpkJ9E/H5w0yOdSvnWbUoG5xNGoOB csmith@fringe # ssh-import-id lp:chad.smith"
      EOF
      $ lxc launch ubuntu-daily:bionic ssh-b -c user.user-data="$(cat sshd_bad_parse.yaml)"

$ lxc exec ssh-b -- python3 -c 'from cloudinit.ssh_util import parse_ssh_config_map; print(parse_ssh_config_map("/etc/ssh/sshd_config")["authorizedkeysfile"])'
.ssh/unique_ubuntu_keyfile

Expected global authorizedkeysfile config to be .ssh/authorized_keys

References:
[1] simple sshd_config key value parsing https://github.com/canonical/cloud-init/blob/main/cloudinit/ssh_util.py#L332-L339
@ubuntu-server-builder ubuntu-server-builder added bug Something isn't working correctly launchpad Migrated from Launchpad labels May 12, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working correctly launchpad Migrated from Launchpad
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@ubuntu-server-builder