yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1053893] Re: cloud-init should be able to switch off password auth in sshd

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Scott Moser <smoser@xxxxxxxxxx>
Date: Mon, 19 May 2014 13:49:33 -0000
Reply-to: Bug 1053893 <1053893@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

I think this should be fixed in 0.7.5.
It doesn't do it automatically, but if you want pwauth on, you can just specify:
   ssh_pwauth: True

and it should enable it correctly.

I think i'd rather do require this to be explicitly done (it can be done
in /etc/ cloud/cloud.cfg.d or user-data) than doing it automatically.
Additionally, I don't think that there is a ton of value in disabling
ssh key auth, or in not starting ssh.

I'm going to mark this fix-released based on the above.  If you
disagree, feel free to re-open and comment.

** Changed in: cloud-init
       Status: Confirmed => Fix Released

** Changed in: cloud-init (Ubuntu)
       Status: Triaged => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to cloud-init.
https://bugs.launchpad.net/bugs/1053893

Title:
  cloud-init should be able to switch off password auth in sshd

Status in Init scripts for use on cloud images:
  Fix Released
Status in “cloud-init” package in Ubuntu:
  Fix Released

Bug description:
  I've had a look but I can't see any facilities within cloud-init
  config system to manipulate the sshd configuration settings.

  ISTM that cloud-init should open up sshd to the minimum required by
  the users configured by the cloud-init process (or if told to widen it
  further).

  So password auth should be off unless passwords are specified. key
  auth should be off unless keys are retrieved, possibly sshd should not
  even be started if there are no users, etc.

  At the moment the image I'm generating has password auth switched off
  in the default config, but obviously that means if somebody specifies
  a passworded user in the cloud-init config, then it won't work.

  As an aside is there a general move to do all the 'cloud specific
  config' within cloud-init rather than in the image build?

  ProblemType: Bug
  DistroRelease: Ubuntu 12.04
  Package: cloud-init (not installed)
  ProcVersionSignature: Ubuntu 3.2.0-30.48-generic 3.2.27
  Uname: Linux 3.2.0-30-generic x86_64
  ApportVersion: 2.0.1-0ubuntu13
  Architecture: amd64
  CheckboxSubmission: 55cafa5b8b82ed224cc59d444cb1fc25
  CheckboxSystem: 3e53d3ea5811723345f19eff5070f9ab
  Date: Fri Sep 21 09:53:01 2012
  InstallationMedia: Ubuntu 11.10 "Oneiric Ocelot" - Release amd64 (20111012)
  SourcePackage: cloud-init
  UpgradeStatus: Upgraded to precise on 2012-05-07 (136 days ago)

To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-init/+bug/1053893/+subscriptions