Skip to content
This repository has been archived by the owner. It is now read-only.

update-ssh-keys does not recognize options #2229

Closed
mikiT opened this issue Nov 7, 2017 · 3 comments
Closed

update-ssh-keys does not recognize options #2229

mikiT opened this issue Nov 7, 2017 · 3 comments

Comments

@mikiT
Copy link

@mikiT mikiT commented Nov 7, 2017

Issue Report

Bug

Container Linux Version

core@bad ~ $ cat /etc/os-release
NAME="Container Linux by CoreOS"
ID=coreos
VERSION=1576.1.0
VERSION_ID=1576.1.0
BUILD_ID=2017-10-26-0503
PRETTY_NAME="Container Linux by CoreOS 1576.1.0 (Ladybug)"
ANSI_COLOR="38;5;75"
HOME_URL="https://coreos.com/"
BUG_REPORT_URL="https://issues.coreos.com"
COREOS_BOARD="amd64-usr"

core@bad ~ $ ls -al /bin/update-ssh-keys 
-rwxr-xr-x. 1 root root 1211024 Oct 26 12:43 /bin/update-ssh-keys
...
BUG_REPORT_URL="https://issues.coreos.com"

Environment

common x86 server

Expected Behavior

core@good ~ $ cat /etc/os-release 
NAME="Container Linux by CoreOS"
ID=coreos
VERSION=1520.1.0
VERSION_ID=1520.1.0
BUILD_ID=2017-09-05-2146
PRETTY_NAME="Container Linux by CoreOS 1520.1.0 (Ladybug)"
ANSI_COLOR="38;5;75"
HOME_URL="https://coreos.com/"
BUG_REPORT_URL="https://issues.coreos.com"
COREOS_BOARD="amd64-usr"

core@good ~ $ ls -al /usr/bin/update-ssh-keys 
-rwxr-xr-x. 1 root root 4972 Aug 30 08:43 /usr/bin/update-ssh-keys
core@good ~ $ ls -al .ssh/authorized_keys.d/coreos-cloudinit
-rw-------. 1 core core 426 Nov  7 20:02 .ssh/authorized_keys.d/coreos-cloudinit
core@good ~ $ cat .ssh/authorized_keys.d/coreos-cloudinit 
from="192.168.1.0/24" ssh-rsa AAA...Qkn mikit@hoge

core@good ~ $ update-ssh-keys 
Updated /home/core/.ssh/authorized_keys

Actual Behavior

core@bad ~ $ ls -al .ssh/authorized_keys.d/coreos-cloudinit 
-rw-r--r--. 1 core core 426 Nov  7 19:59 .ssh/authorized_keys.d/coreos-cloudinit
core@bad ~ $ cat .ssh/authorized_keys.d/coreos-cloudinit 
from="192.168.1.0/24" ssh-rsa AAA...Qkn mikit@hoge

core@bad ~ $ update-ssh-keys 
Error: failed to open authorized keys directory for user 'core'
Caused by: failed to parse public key
Caused by: invalid key format
Caused by: Invalid byte 45, offset 3.

Reproduction Steps

We updated coreos from 1520.1.0 to 1576.1.0 last week.
After that, hoge now outputs an error.
We use /bin/coreos-cloudinit for configuration management.

This is extract from our cloud-config.yml.

(snip)
users:
  - name: core
    groups:
      - sudo
      - docker
    ssh_authorized_keys:
      - from="192.168.1.0/24" ssh-rsa AAA...Qkn mikit@hoge
(snip)

As this condition, we executed /bin/coreos-cloudinit then we saw error.

core@bad ~ $ sudo /bin/coreos-cloudinit -from-file=cloud-config.yml
(snip)
2017/11/07 20:38:42 Authorizing 32 SSH keys for user 'core'
2017/11/07 20:38:42 Failed to apply cloud-config: Call to update-ssh-keys failed with exit status 1:  Error: failed to open authorized keys directory for user 'core'
Caused by: failed to parse public key
Caused by: invalid key format
Caused by: Invalid byte 45, offset 3.

Other Information

ref. sshd(8):
authorized_keys file format

Feature Request

Environment

Desired Feature

Other Information

@lucab
Copy link
Member

@lucab lucab commented Nov 7, 2017

Thanks for the report! It looks like the underlying parsing library is at fault here as it doesn't understand the first optional field. For reference, format spec from manpage.

/cc @sdemos

sdemos added a commit to sdemos/update-ssh-keys that referenced this issue Nov 7, 2017
in particular, this updates the openssh-keys library to the newest
version, which correctly parses authorized_keys options.

fixes coreos/bugs#2229
@sdemos
Copy link

@sdemos sdemos commented Nov 8, 2017

Yup, looks like the underlying ssh key parsing library didn't handle authorized_keys options at all. I added that support to the library, and added several tests to that effect. Thanks for finding this one. Sorry about the disruption!

I'm going to keep this open until it actually gets released in the os. Sorry about the noise.

@sdemos sdemos reopened this Nov 8, 2017
@bgilbert
Copy link
Member

@bgilbert bgilbert commented Nov 8, 2017

This should be fixed in alpha 1591.0.0 and beta 1576.2.0, due soon. Thanks for the report.

@bgilbert bgilbert closed this Nov 8, 2017
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

4 participants
You can’t perform that action at this time.