You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Launchpad user Chad Smith(chad.smith) wrote on 2021-07-12T17:55:13.369080+00:00
cloud-init 21.2
User-specific Match sections can be provided in /etc/ssh/sshd_config to override global ssh config default settings such as AuthorizedKeysFile.
cloud-init's parsing of sshd_config in ssh_util[1] is simplistic and treats each line in the sshd_config file as simple key/value pairs. Any Match sections defined below a global AuthorizedKeysFile setting will be overridden to the line containing an AuthorizedKeysFile definition, even if that definition should only be scoped to a specific user Match.
Here is an example adding a specific Match section which should only apply non-default AuthorizedKeysFile to the "custom" user, and how cloud-init incorrectly represents that content.
This bug was originally filed in Launchpad as LP: #1935857
Launchpad details
Launchpad user Chad Smith(chad.smith) wrote on 2021-07-12T17:55:13.369080+00:00
cloud-init 21.2
User-specific Match sections can be provided in /etc/ssh/sshd_config to override global ssh config default settings such as AuthorizedKeysFile.
cloud-init's parsing of sshd_config in ssh_util[1] is simplistic and treats each line in the sshd_config file as simple key/value pairs. Any Match sections defined below a global AuthorizedKeysFile setting will be overridden to the line containing an AuthorizedKeysFile definition, even if that definition should only be scoped to a specific user Match.
Here is an example adding a specific Match section which should only apply non-default AuthorizedKeysFile to the "custom" user, and how cloud-init incorrectly represents that content.
$ cat sshd_bad_parse.yaml <<EOF
#cloud-config
write_files:
content: |
AuthorizedKeysFile: .ssh/authorized_keys
Inject custom user-specific match which should only affect custom user
Match User customAuthorizedKeysFile .ssh/unique_ubuntu_keyfile
append: true
users:
sudo: false
ssh_authorized_keys:
EOF
$ lxc launch ubuntu-daily:bionic ssh-b -c user.user-data="$(cat sshd_bad_parse.yaml)"
$ lxc exec ssh-b -- python3 -c 'from cloudinit.ssh_util import parse_ssh_config_map; print(parse_ssh_config_map("/etc/ssh/sshd_config")["authorizedkeysfile"])'
.ssh/unique_ubuntu_keyfile
Expected global authorizedkeysfile config to be .ssh/authorized_keys
References:
[1] simple sshd_config key value parsing https://github.com/canonical/cloud-init/blob/main/cloudinit/ssh_util.py#L332-L339
The text was updated successfully, but these errors were encountered: