New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

update-ssh-keys does not recognize options #2229

Closed
mikiT opened this Issue Nov 7, 2017 · 3 comments

Comments

Projects
None yet
4 participants
@mikiT

mikiT commented Nov 7, 2017

Issue Report

Bug

Container Linux Version

core@bad ~ $ cat /etc/os-release
NAME="Container Linux by CoreOS"
ID=coreos
VERSION=1576.1.0
VERSION_ID=1576.1.0
BUILD_ID=2017-10-26-0503
PRETTY_NAME="Container Linux by CoreOS 1576.1.0 (Ladybug)"
ANSI_COLOR="38;5;75"
HOME_URL="https://coreos.com/"
BUG_REPORT_URL="https://issues.coreos.com"
COREOS_BOARD="amd64-usr"

core@bad ~ $ ls -al /bin/update-ssh-keys 
-rwxr-xr-x. 1 root root 1211024 Oct 26 12:43 /bin/update-ssh-keys
...
BUG_REPORT_URL="https://issues.coreos.com"

Environment

common x86 server

Expected Behavior

core@good ~ $ cat /etc/os-release 
NAME="Container Linux by CoreOS"
ID=coreos
VERSION=1520.1.0
VERSION_ID=1520.1.0
BUILD_ID=2017-09-05-2146
PRETTY_NAME="Container Linux by CoreOS 1520.1.0 (Ladybug)"
ANSI_COLOR="38;5;75"
HOME_URL="https://coreos.com/"
BUG_REPORT_URL="https://issues.coreos.com"
COREOS_BOARD="amd64-usr"

core@good ~ $ ls -al /usr/bin/update-ssh-keys 
-rwxr-xr-x. 1 root root 4972 Aug 30 08:43 /usr/bin/update-ssh-keys
core@good ~ $ ls -al .ssh/authorized_keys.d/coreos-cloudinit
-rw-------. 1 core core 426 Nov  7 20:02 .ssh/authorized_keys.d/coreos-cloudinit
core@good ~ $ cat .ssh/authorized_keys.d/coreos-cloudinit 
from="192.168.1.0/24" ssh-rsa AAA...Qkn mikit@hoge

core@good ~ $ update-ssh-keys 
Updated /home/core/.ssh/authorized_keys

Actual Behavior

core@bad ~ $ ls -al .ssh/authorized_keys.d/coreos-cloudinit 
-rw-r--r--. 1 core core 426 Nov  7 19:59 .ssh/authorized_keys.d/coreos-cloudinit
core@bad ~ $ cat .ssh/authorized_keys.d/coreos-cloudinit 
from="192.168.1.0/24" ssh-rsa AAA...Qkn mikit@hoge

core@bad ~ $ update-ssh-keys 
Error: failed to open authorized keys directory for user 'core'
Caused by: failed to parse public key
Caused by: invalid key format
Caused by: Invalid byte 45, offset 3.

Reproduction Steps

We updated coreos from 1520.1.0 to 1576.1.0 last week.
After that, hoge now outputs an error.
We use /bin/coreos-cloudinit for configuration management.

This is extract from our cloud-config.yml.

(snip)
users:
  - name: core
    groups:
      - sudo
      - docker
    ssh_authorized_keys:
      - from="192.168.1.0/24" ssh-rsa AAA...Qkn mikit@hoge
(snip)

As this condition, we executed /bin/coreos-cloudinit then we saw error.

core@bad ~ $ sudo /bin/coreos-cloudinit -from-file=cloud-config.yml
(snip)
2017/11/07 20:38:42 Authorizing 32 SSH keys for user 'core'
2017/11/07 20:38:42 Failed to apply cloud-config: Call to update-ssh-keys failed with exit status 1:  Error: failed to open authorized keys directory for user 'core'
Caused by: failed to parse public key
Caused by: invalid key format
Caused by: Invalid byte 45, offset 3.

Other Information

ref. sshd(8):
authorized_keys file format

Feature Request

Environment

Desired Feature

Other Information

@lucab

This comment has been minimized.

Show comment
Hide comment
@lucab

lucab Nov 7, 2017

Member

Thanks for the report! It looks like the underlying parsing library is at fault here as it doesn't understand the first optional field. For reference, format spec from manpage.

/cc @sdemos

Member

lucab commented Nov 7, 2017

Thanks for the report! It looks like the underlying parsing library is at fault here as it doesn't understand the first optional field. For reference, format spec from manpage.

/cc @sdemos

sdemos added a commit to sdemos/update-ssh-keys that referenced this issue Nov 7, 2017

cargo: update dependencies
in particular, this updates the openssh-keys library to the newest
version, which correctly parses authorized_keys options.

fixes coreos/bugs#2229
@sdemos

This comment has been minimized.

Show comment
Hide comment
@sdemos

sdemos Nov 8, 2017

Member

Yup, looks like the underlying ssh key parsing library didn't handle authorized_keys options at all. I added that support to the library, and added several tests to that effect. Thanks for finding this one. Sorry about the disruption!

I'm going to keep this open until it actually gets released in the os. Sorry about the noise.

Member

sdemos commented Nov 8, 2017

Yup, looks like the underlying ssh key parsing library didn't handle authorized_keys options at all. I added that support to the library, and added several tests to that effect. Thanks for finding this one. Sorry about the disruption!

I'm going to keep this open until it actually gets released in the os. Sorry about the noise.

@sdemos sdemos reopened this Nov 8, 2017

@bgilbert

This comment has been minimized.

Show comment
Hide comment
@bgilbert

bgilbert Nov 8, 2017

Member

This should be fixed in alpha 1591.0.0 and beta 1576.2.0, due soon. Thanks for the report.

Member

bgilbert commented Nov 8, 2017

This should be fixed in alpha 1591.0.0 and beta 1576.2.0, due soon. Thanks for the report.

@bgilbert bgilbert closed this Nov 8, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment