New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Change default authorizedkeys file #586
Conversation
The following commit merged all ssh keys into a default user file "~/.ssh/authorized_keys" in sshd_config had multiple files configured for AuthorizedKeysFile: commit f1094b1 Author: Eduardo Otubo <otubo@redhat.com> Date: Thu Dec 5 17:37:35 2019 +0100 Multiple file fix for AuthorizedKeysFile config (canonical#60) This commit ignored the case when sshd_config would have a single file for AuthorizedKeysFile, but a non default configuration, for example "~/.ssh/authorized_keys_foobar". In this case cloud-init would grab all keys from this file and write a new one, the default "~/.ssh/authorized_keys" causing the bug. rhbz: #1862967 Signed-off-by: Eduardo Otubo <otubo@redhat.com>
The commit that adapts the test cases also fixes the second test case |
@@ -593,7 +593,7 @@ def test_multiple_authorizedkeys_file_order1(self, m_getpwnam): | |||
fpw.pw_name, sshd_config) | |||
content = ssh_util.update_authorized_keys(auth_key_entries, []) | |||
|
|||
self.assertEqual("%s/.ssh/authorized_keys" % fpw.pw_dir, auth_key_fn) | |||
self.assertEqual(authorized_keys, auth_key_fn) | |||
self.assertTrue(VALID_CONTENT['rsa'] in content) | |||
self.assertTrue(VALID_CONTENT['dsa'] in content) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
unrelatedly, it's probably high time to retire DSA
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This LGTM, and I've tested it locally. Thanks!
If a non-default AuthorizedKeysFile is specified in /etc/ssh/sshd_config, ensure we can still ssh as expected
If a non-default AuthorizedKeysFile is specified in /etc/ssh/sshd_config, ensure we can still ssh as expected
If a non-default AuthorizedKeysFile is specified in /etc/ssh/sshd_config, ensure we can still ssh as expected
…cal#586) Revert PR canonical#586 related to where cloud-init writes authorized keys. Avoid storing all the ssh keys for all users into the default ssh config AuthorizedKeysFiles. LP: #1839061
…ical#586)" (canonical#775) This reverts commit b0e7381.
Proposed Commit Message
The following commit merged all ssh keys into a default user file
~/.ssh/authorized_keys
in sshd_config had multiple files configured forAuthorizedKeysFile:
commit f1094b1
Author: Eduardo Otubo otubo@redhat.com
Date: Thu Dec 5 17:37:35 2019 +0100
This commit ignored the case when sshd_config would have a single file for
AuthorizedKeysFile, but a non default configuration, for example
~/.ssh/authorized_keys_foobar
. In this case cloud-init would grab all keysfrom this file and write a new one, the default
~/.ssh/authorized_keys
causing the bug.
rhbz: #1862967
Signed-off-by: Eduardo Otubo otubo@redhat.com
Additional Context
None
Test Steps
/etc/ssh/sshd_config
to remove default.ssh/authorized_keys
and change to another file e.g.:Actual results:
Cannot login:
Permission denied (publickey,gssapi-keyex,gssapi-with-mic)
The public key is written into
.ssh/authorized_keys
but not.ssh/authorized_keys2
Expected results:
Can login successfully. The public key is written into
.ssh/authorized_keys2
Checklist: