← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #79515

[Bug 1839061] [NEW] Wrong access permissions of authorized keys directory when using root-owned location

  Thread PreviousDate PreviousThread Next 
Public bug reported:

When using a central, root-owned directory to store ssh keys, cloud-init
changes the permissions of the key directory which renders the keys
unusable.

I'm using a similar approach as described here:
https://www.ssh.com/ssh/key/
MOVING SSH KEYS TO A ROOT-OWNED LOCATION

but I'm using the config

    AuthorizedKeysFile /etc/ssh/keys/%u

In the original image, the permissions of the keys directory
/etc/ssh/keys are 0755 - owned by root:root. It contains all the keys of
the users. All keys have 0644 permissions and are also owned by
root:root. (The background: Users are not allowed to change their ssh
keys.)

After the machine boots and cloud-init finishes, the permissions of the
key directory /etc/ssh/keys is 0700 and it is impossible to use key-
authentication, because sshd cannot access the key files.

IMHO the reason for this is, that cloud-init changes the permission of
the keys directory

https://git.launchpad.net/cloud-init/tree/cloudinit/ssh_util.py#n259

        util.ensure_dir(os.path.dirname(auth_key_fn), mode=0o700)

which is wrong in this use case.

** Affects: cloud-init
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to cloud-init.
https://bugs.launchpad.net/bugs/1839061

Title:
  Wrong access permissions of authorized keys directory when using root-
  owned location

Status in cloud-init:
  New

Bug description:
  When using a central, root-owned directory to store ssh keys, cloud-
  init changes the permissions of the key directory which renders the
  keys unusable.

  I'm using a similar approach as described here:
  https://www.ssh.com/ssh/key/
  MOVING SSH KEYS TO A ROOT-OWNED LOCATION

  but I'm using the config

      AuthorizedKeysFile /etc/ssh/keys/%u

  In the original image, the permissions of the keys directory
  /etc/ssh/keys are 0755 - owned by root:root. It contains all the keys
  of the users. All keys have 0644 permissions and are also owned by
  root:root. (The background: Users are not allowed to change their ssh
  keys.)

  After the machine boots and cloud-init finishes, the permissions of
  the key directory /etc/ssh/keys is 0700 and it is impossible to use
  key-authentication, because sshd cannot access the key files.

  IMHO the reason for this is, that cloud-init changes the permission of
  the keys directory

  https://git.launchpad.net/cloud-init/tree/cloudinit/ssh_util.py#n259

          util.ensure_dir(os.path.dirname(auth_key_fn), mode=0o700)

  which is wrong in this use case.

To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-init/+bug/1839061/+subscriptions

Follow ups

  Thread PreviousDate PreviousThread Next