yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1935857] [NEW] cc_ssh: parse_ssh_config_map does not take into account user-specific Match section overrides

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Chad Smith <1935857@xxxxxxxxxxxxxxxxxx>
Date: Mon, 12 Jul 2021 17:55:13 -0000
Reply-to: Bug 1935857 <1935857@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Public bug reported:

cloud-init 21.2

User-specific Match sections can be provided in /etc/ssh/sshd_config to
override global ssh config default settings such as AuthorizedKeysFile.


cloud-init's parsing of sshd_config in ssh_util[1]  is simplistic and treats each line in the sshd_config file as simple key/value pairs. Any Match sections defined below a global AuthorizedKeysFile setting will be overridden to the line containing an AuthorizedKeysFile definition, even if that definition should only be scoped to a specific user Match.


Here is an example adding a specific Match section which should only apply non-default AuthorizedKeysFile to the "custom" user, and how cloud-init incorrectly represents that content.

$ cat sshd_bad_parse.yaml <<EOF
#cloud-config
write_files:
 - path: /etc/ssh/sshd_config
   content: |
      AuthorizedKeysFile: .ssh/authorized_keys
      # Inject custom user-specific match which should only affect custom user
      Match User custom
        AuthorizedKeysFile      .ssh/unique_ubuntu_keyfile
   append: true
users:
 - default
 - name: custom
   sudo: false
   ssh_authorized_keys: 
   - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDSL7uWGj8cgWyIOaspgKdVy0cKJ+UTjfv7jBOjG2H/GN8bJVXy72XAvnhM0dUM+CCs8FOf0YlPX+Frvz2hKInrmRhZVwRSL129PasD12MlI3l44u6IwS1o/W86Q+tkQYEljtqDOo0a+cOsaZkvUNzUyEXUwz/lmYa6G4hMKZH4NBj7nbAAF96wsMCoyNwbWryBnDYUr6wMbjRR1J9Pw7Xh7WRC73wy4Va2YuOgbD3V/5ZrFPLbWZW/7TFXVrql04QVbyei4aiFR5n//GvoqwQDNe58LmbzX/xvxyKJYdny2zXmdAhMxbrpFQsfpkJ9E/H5w0yOdSvnWbUoG5xNGoOB csmith@fringe # ssh-import-id lp:chad.smith"
EOF
$ lxc launch ubuntu-daily:bionic ssh-b -c user.user-data="$(cat sshd_bad_parse.yaml)"

$ lxc exec ssh-b -- python3 -c 'from cloudinit.ssh_util import parse_ssh_config_map; print(parse_ssh_config_map("/etc/ssh/sshd_config")["authorizedkeysfile"])'
.ssh/unique_ubuntu_keyfile

# Expected global authorizedkeysfile config to be  .ssh/authorized_keys


References:
[1] simple sshd_config key value parsing https://github.com/canonical/cloud-init/blob/main/cloudinit/ssh_util.py#L332-L339

** Affects: cloud-init
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to cloud-init.
https://bugs.launchpad.net/bugs/1935857

Title:
  cc_ssh: parse_ssh_config_map does not take into account user-specific
  Match section overrides

Status in cloud-init:
  New

Bug description:
  cloud-init 21.2

  User-specific Match sections can be provided in /etc/ssh/sshd_config
  to override global ssh config default settings such as
  AuthorizedKeysFile.

  
  cloud-init's parsing of sshd_config in ssh_util[1]  is simplistic and treats each line in the sshd_config file as simple key/value pairs. Any Match sections defined below a global AuthorizedKeysFile setting will be overridden to the line containing an AuthorizedKeysFile definition, even if that definition should only be scoped to a specific user Match.

  
  Here is an example adding a specific Match section which should only apply non-default AuthorizedKeysFile to the "custom" user, and how cloud-init incorrectly represents that content.

  $ cat sshd_bad_parse.yaml <<EOF
  #cloud-config
  write_files:
   - path: /etc/ssh/sshd_config
     content: |
        AuthorizedKeysFile: .ssh/authorized_keys
        # Inject custom user-specific match which should only affect custom user
        Match User custom
          AuthorizedKeysFile      .ssh/unique_ubuntu_keyfile
     append: true
  users:
   - default
   - name: custom
     sudo: false
     ssh_authorized_keys: 
     - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDSL7uWGj8cgWyIOaspgKdVy0cKJ+UTjfv7jBOjG2H/GN8bJVXy72XAvnhM0dUM+CCs8FOf0YlPX+Frvz2hKInrmRhZVwRSL129PasD12MlI3l44u6IwS1o/W86Q+tkQYEljtqDOo0a+cOsaZkvUNzUyEXUwz/lmYa6G4hMKZH4NBj7nbAAF96wsMCoyNwbWryBnDYUr6wMbjRR1J9Pw7Xh7WRC73wy4Va2YuOgbD3V/5ZrFPLbWZW/7TFXVrql04QVbyei4aiFR5n//GvoqwQDNe58LmbzX/xvxyKJYdny2zXmdAhMxbrpFQsfpkJ9E/H5w0yOdSvnWbUoG5xNGoOB csmith@fringe # ssh-import-id lp:chad.smith"
  EOF
  $ lxc launch ubuntu-daily:bionic ssh-b -c user.user-data="$(cat sshd_bad_parse.yaml)"

  $ lxc exec ssh-b -- python3 -c 'from cloudinit.ssh_util import parse_ssh_config_map; print(parse_ssh_config_map("/etc/ssh/sshd_config")["authorizedkeysfile"])'
  .ssh/unique_ubuntu_keyfile

  # Expected global authorizedkeysfile config to be
  .ssh/authorized_keys

  
  References:
  [1] simple sshd_config key value parsing https://github.com/canonical/cloud-init/blob/main/cloudinit/ssh_util.py#L332-L339

To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-init/+bug/1935857/+subscriptions

Follow ups

[Bug 1935857] Re: cc_ssh: parse_ssh_config_map does not take into account user-specific Match section overrides
From: James Falcon, 2023-05-12