yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #85168
[Bug 1915772] [NEW] config-ssh module doesn't respect Match conditions in sshd_config
Public bug reported:
Summary
Per https://www.freebsd.org/cgi/man.cgi?sshd_config(5)
Match Introduces a conditional block. If all of the criteria on the Match line are satisfied, the keywords on the
following lines override those set in the global section of the config file, until either anotherMatch line or the end of the
file. If a keyword appears in multiple Match blocks that are satisfied, only the first instance of the keyword is applied.
Say I have a Match setup for a group to use a special location of an
AuthorizedKeysFile, basically to move this out of the homedir these
restricted users are jailed in.
Match Group my-special-group
AuthorizedKeysFile /etc/ssh/authorized_keys/%u
Relevant Code:
https://github.com/canonical/cloud-init/blob/09193e5141ca45b822617399047204abd701047e/cloudinit/ssh_util.py#L274
and ultimately lies in the implantation at
https://github.com/canonical/cloud-init/blob/09193e5141ca45b822617399047204abd701047e/cloudinit/ssh_util.py#L344
the way parse_ssh_config_map parses the file, the last
AuthorizedKeysFile entry wins. I suggest just stop reading the file if
you get to a Match stanza (either here or in parse_ssh_config_lines). If
you get really fancy, you could see if the username you're looking up is
under an explicit Match User ec2-user stanza. But as it is now, it's an
all-or-nothing where my AuthorizedKeysFile lives.
Process
Setup an sshd_config utilizing a Match option, like
Match Group my-special-group
AuthorizedKeysFile /etc/ssh/authorized_keys/%u
and then have cloud-init do it's ssh configuration
Current and expected result
Current: the last AuthorizedKeysFile statement wins, regardless if it's at the global level or underneath a Match
Expected: cloud-init only respects the globally defined AuthorizedKeysFile, or falls back to the standard homedir location
Screenshot
n/a
** Affects: cloud-init
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to cloud-init.
https://bugs.launchpad.net/bugs/1915772
Title:
config-ssh module doesn't respect Match conditions in sshd_config
Status in cloud-init:
New
Bug description:
Summary
Per https://www.freebsd.org/cgi/man.cgi?sshd_config(5)
Match Introduces a conditional block. If all of the criteria on the Match line are satisfied, the keywords on the
following lines override those set in the global section of the config file, until either anotherMatch line or the end of the
file. If a keyword appears in multiple Match blocks that are satisfied, only the first instance of the keyword is applied.
Say I have a Match setup for a group to use a special location of an
AuthorizedKeysFile, basically to move this out of the homedir these
restricted users are jailed in.
Match Group my-special-group
AuthorizedKeysFile /etc/ssh/authorized_keys/%u
Relevant Code:
https://github.com/canonical/cloud-init/blob/09193e5141ca45b822617399047204abd701047e/cloudinit/ssh_util.py#L274
and ultimately lies in the implantation at
https://github.com/canonical/cloud-init/blob/09193e5141ca45b822617399047204abd701047e/cloudinit/ssh_util.py#L344
the way parse_ssh_config_map parses the file, the last
AuthorizedKeysFile entry wins. I suggest just stop reading the file if
you get to a Match stanza (either here or in parse_ssh_config_lines).
If you get really fancy, you could see if the username you're looking
up is under an explicit Match User ec2-user stanza. But as it is now,
it's an all-or-nothing where my AuthorizedKeysFile lives.
Process
Setup an sshd_config utilizing a Match option, like
Match Group my-special-group
AuthorizedKeysFile /etc/ssh/authorized_keys/%u
and then have cloud-init do it's ssh configuration
Current and expected result
Current: the last AuthorizedKeysFile statement wins, regardless if it's at the global level or underneath a Match
Expected: cloud-init only respects the globally defined AuthorizedKeysFile, or falls back to the standard homedir location
Screenshot
n/a
To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-init/+bug/1915772/+subscriptions
Follow ups