'reset password' cannot switch to the other authentication mode because of 50-cloud-init.conf #4335
Comments
ani-sinha
added
bug
|
Looks like VMAccess supports this config for Ubuntu, but I expect other distro support is required? @norakoiralamsft |
|
Looks like this is an el9 based system. @ani-sinha can you confirm the distributions/releases affected ? It looks like the linked fix was Ubuntu only and the azure-linux-extensions has awareness of centos, redhat and fedora. This doesn't really look like a cloud-init issue per-se, but an integration issue on Azure cloud with additional features. |
|
Yes this is a CentOS/ Rhel guest vm on azure.
…On Tue, 15 Aug, 2023, 10:09 am Chad Smith, ***@***.***> wrote:
Looks like this is an el9 based system. @ani-sinha
<https://github.com/ani-sinha> can you confirm the distributions/releases
affected ? It looks like the linked fix was Ubuntu only and the
azure-linux-extensions has awareness of centos, redhat and fedora. This
doesn't really look like a cloud-init issue per-se, but an integration
issue on Azure cloud with additional features.
—
Reply to this email directly, view it on GitHub
<#4335 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAW7FP24CSPRCYWPMEU2AITXVL4QLANCNFSM6AAAAAA3MQNKNQ>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
|
Could we extend the solution for CentOS and RHEL?
…On Tue, 15 Aug, 2023, 10:17 am Ani Sinha, ***@***.***> wrote:
Yes this is a CentOS/ Rhel guest vm on azure.
On Tue, 15 Aug, 2023, 10:09 am Chad Smith, ***@***.***>
wrote:
> Looks like this is an el9 based system. @ani-sinha
> <https://github.com/ani-sinha> can you confirm the
> distributions/releases affected ? It looks like the linked fix was Ubuntu
> only and the azure-linux-extensions has awareness of centos, redhat and
> fedora. This doesn't really look like a cloud-init issue per-se, but an
> integration issue on Azure cloud with additional features.
>
> —
> Reply to this email directly, view it on GitHub
> <#4335 (comment)>,
> or unsubscribe
> <https://github.com/notifications/unsubscribe-auth/AAW7FP24CSPRCYWPMEU2AITXVL4QLANCNFSM6AAAAAA3MQNKNQ>
> .
> You are receiving this because you were mentioned.Message ID:
> ***@***.***>
>
|
Yes @blackboxsw this is a centos/RHEL system. |
Azure 'reset password' feature overrides the /etc/ssh/sshd_config file and sets the PasswordAuthentication to 'yes'. Unfortunately, cloud-init versions 22.3 and newer sets 'PasswordAuthentication' to 'no' in the /etc/ssh/sshd_config.d/50-cloud-init.conf which overrides the setting in /etc/ssh/sshd_config file. VMAccess handles this for Ubuntu by setting PasswordAuthentication to 'yes' additionally in /etc/ssh/sshd_config.d/50-cloud-init.conf file. This change extends the same method to include CentOS and RHEL systems. Fixes: canonical/cloud-init#4335 Signed-off-by: Ani Sinha <anisinha@redhat.com>
|
I sent a PR: Azure/azure-linux-extensions#1774 |
Azure 'reset password' feature overrides the /etc/ssh/sshd_config file and sets the PasswordAuthentication to 'yes'. Unfortunately, cloud-init versions 22.3 and newer sets 'PasswordAuthentication' to 'no' in the /etc/ssh/sshd_config.d/50-cloud-init.conf which overrides the setting in /etc/ssh/sshd_config file. VMAccess handles this for Ubuntu by setting PasswordAuthentication to 'yes' additionally in /etc/ssh/sshd_config.d/50-cloud-init.conf file. This change extends the same method to include all OSes. Fixes: canonical/cloud-init#4335 Signed-off-by: Ani Sinha <anisinha@redhat.com>
|
Since this issue represents a bug in a separate project that affects cloud-init behavior, I will close this issue to be tracked in azure-linux-extensions. |
Azure 'reset password' feature overrides the /etc/ssh/sshd_config file and sets the PasswordAuthentication to 'yes'. Unfortunately, cloud-init versions 22.3 and newer sets 'PasswordAuthentication' to 'no' in the /etc/ssh/sshd_config.d/50-cloud-init.conf which overrides the setting in /etc/ssh/sshd_config file. VMAccess handles this for Ubuntu by setting PasswordAuthentication to 'yes' additionally in /etc/ssh/sshd_config.d/50-cloud-init.conf file. This change extends the same method to include all OSes. Fixes: canonical/cloud-init#4335 Signed-off-by: Ani Sinha <anisinha@redhat.com>
Description of problem:
The Azure VM 'reset password' feature overrides the /etc/ssh/sshd_config file, which changes the PasswordAuthentication. From cloud-init v22.3, it writes 'PasswordAuthentication' in the /etc/ssh/sshd_config.d/50-cloud-init.conf, so that override 'sshd_config' file cannot reset the 'PasswordAuthentication' item.
For example, we use 'ssh key' method to create the Azure VM and cloud-init write 'PasswordAuthentication no' in 50-cloud-init.conf. Then we use 'reset password' to create a new user 'azuredebug' with "password" authentication. Then we still cannot use password authentication to ssh into the VM because the 'PasswordAuthentication no' in 50-cloud-init.conf has higher priority than it in 'sshd_config'.
Version-Release number of selected components (if applicable):
cloud-init-23.1.1-8.el9.noarchMicrosoft.OSTCExtensions.VMAccessForLinux-1.5.15(This extension is used for resetting password)How reproducible:
100%
Steps to Reproduce:
1 Create a VM on Azure that is provisioned by cloud-init, use 'ssh key' authentication method
2 Click on 'reset password' item in the Azure portal VM page, select 'Reset password' mode and create a new account 'azuredebug' and set password. Click on the 'Update' button on the top.
3. Wait for it to finish. Then try to ssh login the VM with 'azuredebug' user and password.
Actual results:
Cannot login with password.
Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
Expected results:
Can login with password
Additional info:
The "Microsoft.OSTCExtensions.VMAccessForLinux-1.5.15" is an Azure extension: https://github.com/Azure/azure-linux-extensions/blob/master/VMAccess/README.md
The text was updated successfully, but these errors were encountered: