← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1915772] [NEW] config-ssh module doesn't respect Match conditions in sshd_config

 

Public bug reported:

Summary
Per https://www.freebsd.org/cgi/man.cgi?sshd_config(5)

Match Introduces a conditional block. If all of the criteria on the Match line are satisfied, the keywords on the
following lines override those set in the global section of the config file, until either anotherMatch line or the end of the
file. If a keyword appears in multiple Match blocks that are satisfied, only the first instance of the keyword is applied.

Say I have a Match setup for a group to use a special location of an
AuthorizedKeysFile, basically to move this out of the homedir these
restricted users are jailed in.

Match Group my-special-group
    AuthorizedKeysFile  /etc/ssh/authorized_keys/%u
Relevant Code:
https://github.com/canonical/cloud-init/blob/09193e5141ca45b822617399047204abd701047e/cloudinit/ssh_util.py#L274
and ultimately lies in the implantation at
https://github.com/canonical/cloud-init/blob/09193e5141ca45b822617399047204abd701047e/cloudinit/ssh_util.py#L344

the way parse_ssh_config_map parses the file, the last
AuthorizedKeysFile entry wins. I suggest just stop reading the file if
you get to a Match stanza (either here or in parse_ssh_config_lines). If
you get really fancy, you could see if the username you're looking up is
under an explicit Match User ec2-user stanza. But as it is now, it's an
all-or-nothing where my AuthorizedKeysFile lives.

Process
Setup an sshd_config utilizing a Match option, like

Match Group my-special-group
    AuthorizedKeysFile  /etc/ssh/authorized_keys/%u
and then have cloud-init do it's ssh configuration

Current and expected result
Current: the last AuthorizedKeysFile statement wins, regardless if it's at the global level or underneath a Match
Expected: cloud-init only respects the globally defined AuthorizedKeysFile, or falls back to the standard homedir location

Screenshot
n/a

** Affects: cloud-init
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to cloud-init.
https://bugs.launchpad.net/bugs/1915772

Title:
  config-ssh module doesn't respect Match conditions in sshd_config

Status in cloud-init:
  New

Bug description:
  Summary
  Per https://www.freebsd.org/cgi/man.cgi?sshd_config(5)

  Match Introduces a conditional block. If all of the criteria on the Match line are satisfied, the keywords on the
  following lines override those set in the global section of the config file, until either anotherMatch line or the end of the
  file. If a keyword appears in multiple Match blocks that are satisfied, only the first instance of the keyword is applied.

  Say I have a Match setup for a group to use a special location of an
  AuthorizedKeysFile, basically to move this out of the homedir these
  restricted users are jailed in.

  Match Group my-special-group
      AuthorizedKeysFile  /etc/ssh/authorized_keys/%u
  Relevant Code:
  https://github.com/canonical/cloud-init/blob/09193e5141ca45b822617399047204abd701047e/cloudinit/ssh_util.py#L274
  and ultimately lies in the implantation at
  https://github.com/canonical/cloud-init/blob/09193e5141ca45b822617399047204abd701047e/cloudinit/ssh_util.py#L344

  the way parse_ssh_config_map parses the file, the last
  AuthorizedKeysFile entry wins. I suggest just stop reading the file if
  you get to a Match stanza (either here or in parse_ssh_config_lines).
  If you get really fancy, you could see if the username you're looking
  up is under an explicit Match User ec2-user stanza. But as it is now,
  it's an all-or-nothing where my AuthorizedKeysFile lives.

  Process
  Setup an sshd_config utilizing a Match option, like

  Match Group my-special-group
      AuthorizedKeysFile  /etc/ssh/authorized_keys/%u
  and then have cloud-init do it's ssh configuration

  Current and expected result
  Current: the last AuthorizedKeysFile statement wins, regardless if it's at the global level or underneath a Match
  Expected: cloud-init only respects the globally defined AuthorizedKeysFile, or falls back to the standard homedir location

  Screenshot
  n/a

To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-init/+bug/1915772/+subscriptions


Follow ups