cloud-init team mailing list archive

[Daniel Watkins <daniel.watkins@xxxxxxxxxxxxx>]

cloud-init release 20.4.1 is now available[0].  This is a hotfix
release, that contains a single patch to address a security issue in
cloud-init 20.4.

Briefly, for users who provide more than one unique SSH key to
cloud-init and have a shared AuthorizedKeysFile configured in
sshd_config, cloud-init 20.4 started writing all of these keys to such a
file, granting all such keys SSH access as root.

It's worth restating this implication: if you are using the default
AuthorizedKeysFile setting in /etc/ssh/sshd_config, as most will be,
then you are _not_ affected by this issue.

Full details can be found at
https://bugs.launchpad.net/cloud-init/+bug/1911680


Thank you for using and developing cloud-init!

Dan


[0] https://github.com/canonical/cloud-init/releases/tag/20.4.1

Attachment: signature.asc
Description: PGP signature