yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1839473] Re: Cloudinit can't set ssh certificate

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Dan Watkins <daniel.watkins@xxxxxxxxxxxxx>
Date: Thu, 08 Aug 2019 13:38:36 -0000
Reply-to: Bug 1839473 <1839473@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Hi,

Thanks for using cloud-init and filing this bug report!  This behaviour
is designed to protect users from a common mistake: capturing an
instance as an image and therefore ending up with the same SSH host keys
across multiple instances.  For the vast majority of users, this is the
sensible default behaviour, so we are unlikely to change it.

However, cloud-init _does_ allow you to configure your own host keys if,
like you, you have specific requirements around them.  See
https://cloudinit.readthedocs.io/en/latest/topics/modules.html#ssh for
full details, but instead of using write_files, you'll want to use
something like:

ssh_keys:
    rsa_private: |
        -----BEGIN RSA PRIVATE KEY-----
        MIIBxwIBAAJhAKD0YSHy73nUgysO13XsJmd4fHiFyQ+00R7VVu2iV9Qco
        ...
        -----END RSA PRIVATE KEY-----
    rsa_public: ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAGEAoPRhIfLvedSDKw7Xd ...

(This has the added benefit over write_files/ssh_deletekeys=False that
it will clear out any stale host keys that you aren't specifying, so you
won't accidentally carry stale keys around with any image captures.)


Thanks!

Dan

P.S. As there isn't any cloud-init work to be done here, I'm going to
mark this bug as Invalid.  If you have any further questions or
comments, please don't hesitate to reply despite that!

** Changed in: cloud-init
       Status: New => Invalid

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to cloud-init.
https://bugs.launchpad.net/bugs/1839473

Title:
  Cloudinit can't set ssh certificate

Status in cloud-init:
  Invalid

Bug description:
  Don't delete things under /etc/ssh. If you use write_files to add a
  SSH certificate like ssh_host_ecdsa_key-cert.pub, it doesn't work
  because it deletes everything.

  You have to set ssh_deletekeys to false to prevent it from deleting
  things but then you have the other key types under /etc/ssh which you
  may not want.

To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-init/+bug/1839473/+subscriptions

References

[Bug 1839473] [NEW] Cloudinit can't set ssh certificate
From: cloudinit, 2019-08-08