yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1658174] [NEW] cloud-init fails to disable ecdsa-sha2-nitp521 keys

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Lars Kellogg-Stedman <lars@xxxxxxxxxx>
Date: Fri, 20 Jan 2017 19:39:50 -0000
Reply-to: Bug 1658174 <1658174@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Public bug reported:

cloud-init adds ssh_authorized_keys to the default user fedora and to
root but for root it disables the keys with a prefix command that echoes
the helpful message:

'Please login as the user "fedora" rather than the user "root".'

However, if the key is of type ecdsa-sha2-nistp521, it is not parsed
correctly, and the prefix command is not prepended.

This means that ECDSA keys can be used to login to root.

** Affects: cloud-init
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to cloud-init.
https://bugs.launchpad.net/bugs/1658174

Title:
  cloud-init fails to disable ecdsa-sha2-nitp521 keys

Status in cloud-init:
  New

Bug description:
  cloud-init adds ssh_authorized_keys to the default user fedora and to
  root but for root it disables the keys with a prefix command that
  echoes the helpful message:

  'Please login as the user "fedora" rather than the user "root".'

  However, if the key is of type ecdsa-sha2-nistp521, it is not parsed
  correctly, and the prefix command is not prepended.

  This means that ECDSA keys can be used to login to root.

To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-init/+bug/1658174/+subscriptions

Follow ups

[Bug 1658174] Re: cloud-init fails to disable ecdsa-sha2-nitp521 keys
From: Scott Moser, 2017-09-23