yahoo-eng-team team mailing list archive

[Chad Smith <1910835@xxxxxxxxxxxxxxxxxx>]

Public bug reported:

cloud-init 20.4 or later will incorrectly add Azure publicKeys to
.ssh/authorized_keys preventing ssh access for cloud-generated keys.


To reproduce: launch an ubuntu VM from the portal.azure.com  choosing to
generate new ssh key.

When the instance is launched you can see that the ssh-rsa content
provided in the metadata publicKeys value  contains CRLF characters
(\r\n) thus splitting the content of the pubkey onto multiple lines when
it is rendered into .ssh/authorized_keys.


the solution is either for IMDS to stop adding the CRLF characters or cloud-init to strip them out.


Here is the IMDS value provided to cloud-init

cloud-init query --format '{{ds.meta_data.imds.compute.publicKeys}}'

[{'keyData': 'ssh-rsa
AAAAB3NzaC1yc2EAAAADAQABAAABgQCllNnyHXFWlMb9EKD9LZrOxt1d\r\nk/QxYwQ0HYEP8n6TUWoUsN3mv/Qk/qWH76Pa6f33hefzTFRiom7Ls/tJMcr/ki8R\r\n9FqyYOu0xxHmpXTUWFoZQCZtGRMtvDl/s76Wr1sCsE/ez+EcAPeGGm/B7jHtDAUW\r\nlkINfuPVBDfRtSfmnlCKS+sIf1XOqvRASGWi05zAW921T4OkiattyXyhaOimJOwq\r\n4jAXmydwtNCN2iGGKWS8YeXbtgveReqZVVKtcDKevgWdNyqZa69uq9tRujobjCh7\r\n6xxCkQcdCLospgqX79GBbdRys6mVxVgc349RIWjQwglRQpJwNzkeOG5Q+La2MEhu\r\niKqKJMvYVhil3khzMuZwzmTrGbRx0E8AS+Cm064RBgbcdjCW8dDYGLuk2eQ2v9Ht\r\n6eERfxMBNg3udv1jmiKpjjHIg99HDU4VqhL3aHmg+TSrxByd0cAgFBV+H0CiUVC9\r\nS2mLJ6Peu/HDwd88E8Wqiv3eAsjcaCRH3QiQVaU=
generated-by-azure\r\n', 'path': '/home/ubuntu/.ssh/authorized_keys'}]


cloud-init  renders this directly to .ssh/authorized_keys without processing the string, resulting in an invalid keyline:

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCllNnyHXFWlMb9EKD9LZrOxt1d k/QxYwQ0HYEP8n6TUWoUsN3mv/Qk/qWH76Pa6f33hefzTFRiom7Ls/tJMcr/ki8R^M
9FqyYOu0xxHmpXTUWFoZQCZtGRMtvDl/s76Wr1sCsE/ez+EcAPeGGm/B7jHtDAUW^M
lkINfuPVBDfRtSfmnlCKS+sIf1XOqvRASGWi05zAW921T4OkiattyXyhaOimJOwq^M
4jAXmydwtNCN2iGGKWS8YeXbtgveReqZVVKtcDKevgWdNyqZa69uq9tRujobjCh7^M
6xxCkQcdCLospgqX79GBbdRys6mVxVgc349RIWjQwglRQpJwNzkeOG5Q+La2MEhu^M
iKqKJMvYVhil3khzMuZwzmTrGbRx0E8AS+Cm064RBgbcdjCW8dDYGLuk2eQ2v9Ht^M
6eERfxMBNg3udv1jmiKpjjHIg99HDU4VqhL3aHmg+TSrxByd0cAgFBV+H0CiUVC9^M
S2mLJ6Peu/HDwd88E8Wqiv3eAsjcaCRH3QiQVaU= generated-by-azure


this prevents ssh from actually reading the right key from azure:

$ ssh-keygen -lf /home/ubuntu/.ssh/authorized_keys

If we strip the CRLF (^M) characters and reparse with ssh-keygenm we see
the proper key registered:

$ ssh-keygen -lf /home/ubuntu/.ssh/authorized_keys
3072 SHA256:PQ9EKxTKONJKFC2N56UpL6+Oc/cujfA9HpsF5VW2QDI generated-by-azure (RSA)


If cloud-init (or IMDS) were to strip those \r\n characters from each
line ssh

** Affects: cloud-init
     Importance: Critical
         Status: Confirmed

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to cloud-init.
https://bugs.launchpad.net/bugs/1910835

Title:
  Auzre IMDS publicKeys contain \r\n which prevents ssh access to vms
  using cloud-generated ssh keys.

Status in cloud-init:
  Confirmed

Bug description:
  cloud-init 20.4 or later will incorrectly add Azure publicKeys to
  .ssh/authorized_keys preventing ssh access for cloud-generated keys.


  To reproduce: launch an ubuntu VM from the portal.azure.com  choosing
  to generate new ssh key.

  When the instance is launched you can see that the ssh-rsa content
  provided in the metadata publicKeys value  contains CRLF characters
  (\r\n) thus splitting the content of the pubkey onto multiple lines
  when it is rendered into .ssh/authorized_keys.

  
  the solution is either for IMDS to stop adding the CRLF characters or cloud-init to strip them out.

  
  Here is the IMDS value provided to cloud-init

  cloud-init query --format '{{ds.meta_data.imds.compute.publicKeys}}'

  [{'keyData': 'ssh-rsa
  AAAAB3NzaC1yc2EAAAADAQABAAABgQCllNnyHXFWlMb9EKD9LZrOxt1d\r\nk/QxYwQ0HYEP8n6TUWoUsN3mv/Qk/qWH76Pa6f33hefzTFRiom7Ls/tJMcr/ki8R\r\n9FqyYOu0xxHmpXTUWFoZQCZtGRMtvDl/s76Wr1sCsE/ez+EcAPeGGm/B7jHtDAUW\r\nlkINfuPVBDfRtSfmnlCKS+sIf1XOqvRASGWi05zAW921T4OkiattyXyhaOimJOwq\r\n4jAXmydwtNCN2iGGKWS8YeXbtgveReqZVVKtcDKevgWdNyqZa69uq9tRujobjCh7\r\n6xxCkQcdCLospgqX79GBbdRys6mVxVgc349RIWjQwglRQpJwNzkeOG5Q+La2MEhu\r\niKqKJMvYVhil3khzMuZwzmTrGbRx0E8AS+Cm064RBgbcdjCW8dDYGLuk2eQ2v9Ht\r\n6eERfxMBNg3udv1jmiKpjjHIg99HDU4VqhL3aHmg+TSrxByd0cAgFBV+H0CiUVC9\r\nS2mLJ6Peu/HDwd88E8Wqiv3eAsjcaCRH3QiQVaU=
  generated-by-azure\r\n', 'path': '/home/ubuntu/.ssh/authorized_keys'}]

  
  cloud-init  renders this directly to .ssh/authorized_keys without processing the string, resulting in an invalid keyline:

  ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCllNnyHXFWlMb9EKD9LZrOxt1d k/QxYwQ0HYEP8n6TUWoUsN3mv/Qk/qWH76Pa6f33hefzTFRiom7Ls/tJMcr/ki8R^M
  9FqyYOu0xxHmpXTUWFoZQCZtGRMtvDl/s76Wr1sCsE/ez+EcAPeGGm/B7jHtDAUW^M
  lkINfuPVBDfRtSfmnlCKS+sIf1XOqvRASGWi05zAW921T4OkiattyXyhaOimJOwq^M
  4jAXmydwtNCN2iGGKWS8YeXbtgveReqZVVKtcDKevgWdNyqZa69uq9tRujobjCh7^M
  6xxCkQcdCLospgqX79GBbdRys6mVxVgc349RIWjQwglRQpJwNzkeOG5Q+La2MEhu^M
  iKqKJMvYVhil3khzMuZwzmTrGbRx0E8AS+Cm064RBgbcdjCW8dDYGLuk2eQ2v9Ht^M
  6eERfxMBNg3udv1jmiKpjjHIg99HDU4VqhL3aHmg+TSrxByd0cAgFBV+H0CiUVC9^M
  S2mLJ6Peu/HDwd88E8Wqiv3eAsjcaCRH3QiQVaU= generated-by-azure

  
  this prevents ssh from actually reading the right key from azure:

  $ ssh-keygen -lf /home/ubuntu/.ssh/authorized_keys

  If we strip the CRLF (^M) characters and reparse with ssh-keygenm we
  see the proper key registered:

  $ ssh-keygen -lf /home/ubuntu/.ssh/authorized_keys
  3072 SHA256:PQ9EKxTKONJKFC2N56UpL6+Oc/cujfA9HpsF5VW2QDI generated-by-azure (RSA)


  If cloud-init (or IMDS) were to strip those \r\n characters from each
  line ssh

To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-init/+bug/1910835/+subscriptions