← Back to team overview

cloud-init-dev team mailing list archive

Re: [Merge] ~smoser/cloud-init:fix/1781094-ssh-deletekeys into cloud-init:master

 

> On Wed, Aug 1, 2018 at 12:09 PM Scott Moser <ssmoser2+ubuntu@xxxxxxxxx> wrote:
> >
> > if we left it as null, it would not generate any keys.
> > We need it to generate keys.
> 
> Why? isn't ssh-keygen service generating keys?

That is the bug.  We/centos/fedora *were* delegating generation of host keys to ssh-keygen.  That is problematic as ssh-keygen only generates new keys if keys do not previously exist.  That means that if the keys ever exist in an image, every instance from that image will have the same host keys.


> > You are correct in that it will generate the default key
> > types for cloud-init, which will not necessarily be the
> > same as those in ssh-keygen service.
> >
> > However, cloud-init will *remove* all ssh host keys that match
> >   /etc/ssh/ssh_host_*key*
> > So we wont' have stale keys sitting around.
> 
> Hrm, is the goal then to to have cloud-init wipe *all* keys even if it didn't
> generate them on new-instance?  That would include any keys generated
> by the ssh-keygen service?  And if so, is that OK for cloud-init to do?

Deleting ssh host keys is somethign that cloud-init has *always* done on first instance, so... yes it is OK for cloud-init to do that.  It is possible that someone has ssh host keys that they want to be used for multiple instances.. and cloud-init would stop them.  However, that is generally against the design intent of ssh host keys, which are supposed to be per-host. 

> 
> And from above, if ssh-keygen service is already creating keys, should
> cloud-init create keys as well?

on a clean instance boot (no host keys at all):
 * cloud-init.service will run 'Before=sshd-keygen.service' and will create new host keys.
 * ssh-keygen service will run and see it doesn't have anything to do.

On second boot, cloud-init.service will not re-generate ssh host keys because those are generated on a per-instance basis in cloud-init.

On a *dirty* instance first boot (with previously generated ssh host keys)
 * cloud-init.service will run 'Before=sshd-keygen.service' and will
   * delete the old host keys
   * generate host keys
 * ssh-keygen.service will have nothing to do.

-- 
https://code.launchpad.net/~smoser/cloud-init/+git/cloud-init/+merge/349359
Your team cloud-init commiters is requested to review the proposed merge of ~smoser/cloud-init:fix/1781094-ssh-deletekeys into cloud-init:master.


Follow ups

References