← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #40440

[Bug 1508543] [NEW] AuthorizedKeysFile in match block will prevent default user login

  Thread PreviousDate PreviousThread Next 
Public bug reported:

Hi.

Consider the following sshd_config which is pretty standard with only an
added "Match" block.

---------8<------------------------------------
<...>
Port 22
AuthorizedKeysFile    %h/.ssh/authorized_keys
<...>
Match group foobar
    AuthorizedKeysFile /etc/ssh/authorizedkeys/%u
---------8<------------------------------------


When starting an instance pre-configured with the above sshd_config (in my case AWS EC2), cloud-init will parse /etc/ssh/sshd_config to know where it should put the public key of the default "ubuntu" user. The problem is that cloud-init is not an sshd_config parser and looking at the code it just do a line-by-line parsing.

In this case, it will pick up the AuthorizedKeysFile value that is in
the Match block because it's the last one in the file and will end up
putting the default user key under /etc/ssh/authorizedkeys/ubuntu,
preventing login into the instance because from the sshd point of view,
the correct key location for that user (which is *not* part of the
"foobar" group) is $HOMEDIR/.ssh/authorized_keys.

The obvious workaround is to append the default AuthorizedKeysFile at the end of the file but it would have been nice to know it beforehand ;-)
I understand that line-by-line parsing is the easy way, but in the case of ssh it is very error-prone and can lead to unexpected behaviour...

Thanks.

** Affects: cloud-init
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to cloud-init.
https://bugs.launchpad.net/bugs/1508543

Title:
  AuthorizedKeysFile in match block will prevent default user login

Status in cloud-init:
  New

Bug description:
  Hi.

  Consider the following sshd_config which is pretty standard with only
  an added "Match" block.

  ---------8<------------------------------------
  <...>
  Port 22
  AuthorizedKeysFile    %h/.ssh/authorized_keys
  <...>
  Match group foobar
      AuthorizedKeysFile /etc/ssh/authorizedkeys/%u
  ---------8<------------------------------------

  
  When starting an instance pre-configured with the above sshd_config (in my case AWS EC2), cloud-init will parse /etc/ssh/sshd_config to know where it should put the public key of the default "ubuntu" user. The problem is that cloud-init is not an sshd_config parser and looking at the code it just do a line-by-line parsing.

  In this case, it will pick up the AuthorizedKeysFile value that is in
  the Match block because it's the last one in the file and will end up
  putting the default user key under /etc/ssh/authorizedkeys/ubuntu,
  preventing login into the instance because from the sshd point of
  view, the correct key location for that user (which is *not* part of
  the "foobar" group) is $HOMEDIR/.ssh/authorized_keys.

  The obvious workaround is to append the default AuthorizedKeysFile at the end of the file but it would have been nice to know it beforehand ;-)
  I understand that line-by-line parsing is the easy way, but in the case of ssh it is very error-prone and can lead to unexpected behaviour...

  Thanks.

To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-init/+bug/1508543/+subscriptions

Follow ups

  Thread PreviousDate PreviousThread Next