yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #86599
[Bug 1935857] [NEW] cc_ssh: parse_ssh_config_map does not take into account user-specific Match section overrides
Public bug reported:
cloud-init 21.2
User-specific Match sections can be provided in /etc/ssh/sshd_config to
override global ssh config default settings such as AuthorizedKeysFile.
cloud-init's parsing of sshd_config in ssh_util[1] is simplistic and treats each line in the sshd_config file as simple key/value pairs. Any Match sections defined below a global AuthorizedKeysFile setting will be overridden to the line containing an AuthorizedKeysFile definition, even if that definition should only be scoped to a specific user Match.
Here is an example adding a specific Match section which should only apply non-default AuthorizedKeysFile to the "custom" user, and how cloud-init incorrectly represents that content.
$ cat sshd_bad_parse.yaml <<EOF
#cloud-config
write_files:
- path: /etc/ssh/sshd_config
content: |
AuthorizedKeysFile: .ssh/authorized_keys
# Inject custom user-specific match which should only affect custom user
Match User custom
AuthorizedKeysFile .ssh/unique_ubuntu_keyfile
append: true
users:
- default
- name: custom
sudo: false
ssh_authorized_keys:
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDSL7uWGj8cgWyIOaspgKdVy0cKJ+UTjfv7jBOjG2H/GN8bJVXy72XAvnhM0dUM+CCs8FOf0YlPX+Frvz2hKInrmRhZVwRSL129PasD12MlI3l44u6IwS1o/W86Q+tkQYEljtqDOo0a+cOsaZkvUNzUyEXUwz/lmYa6G4hMKZH4NBj7nbAAF96wsMCoyNwbWryBnDYUr6wMbjRR1J9Pw7Xh7WRC73wy4Va2YuOgbD3V/5ZrFPLbWZW/7TFXVrql04QVbyei4aiFR5n//GvoqwQDNe58LmbzX/xvxyKJYdny2zXmdAhMxbrpFQsfpkJ9E/H5w0yOdSvnWbUoG5xNGoOB csmith@fringe # ssh-import-id lp:chad.smith"
EOF
$ lxc launch ubuntu-daily:bionic ssh-b -c user.user-data="$(cat sshd_bad_parse.yaml)"
$ lxc exec ssh-b -- python3 -c 'from cloudinit.ssh_util import parse_ssh_config_map; print(parse_ssh_config_map("/etc/ssh/sshd_config")["authorizedkeysfile"])'
.ssh/unique_ubuntu_keyfile
# Expected global authorizedkeysfile config to be .ssh/authorized_keys
References:
[1] simple sshd_config key value parsing https://github.com/canonical/cloud-init/blob/main/cloudinit/ssh_util.py#L332-L339
** Affects: cloud-init
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to cloud-init.
https://bugs.launchpad.net/bugs/1935857
Title:
cc_ssh: parse_ssh_config_map does not take into account user-specific
Match section overrides
Status in cloud-init:
New
Bug description:
cloud-init 21.2
User-specific Match sections can be provided in /etc/ssh/sshd_config
to override global ssh config default settings such as
AuthorizedKeysFile.
cloud-init's parsing of sshd_config in ssh_util[1] is simplistic and treats each line in the sshd_config file as simple key/value pairs. Any Match sections defined below a global AuthorizedKeysFile setting will be overridden to the line containing an AuthorizedKeysFile definition, even if that definition should only be scoped to a specific user Match.
Here is an example adding a specific Match section which should only apply non-default AuthorizedKeysFile to the "custom" user, and how cloud-init incorrectly represents that content.
$ cat sshd_bad_parse.yaml <<EOF
#cloud-config
write_files:
- path: /etc/ssh/sshd_config
content: |
AuthorizedKeysFile: .ssh/authorized_keys
# Inject custom user-specific match which should only affect custom user
Match User custom
AuthorizedKeysFile .ssh/unique_ubuntu_keyfile
append: true
users:
- default
- name: custom
sudo: false
ssh_authorized_keys:
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDSL7uWGj8cgWyIOaspgKdVy0cKJ+UTjfv7jBOjG2H/GN8bJVXy72XAvnhM0dUM+CCs8FOf0YlPX+Frvz2hKInrmRhZVwRSL129PasD12MlI3l44u6IwS1o/W86Q+tkQYEljtqDOo0a+cOsaZkvUNzUyEXUwz/lmYa6G4hMKZH4NBj7nbAAF96wsMCoyNwbWryBnDYUr6wMbjRR1J9Pw7Xh7WRC73wy4Va2YuOgbD3V/5ZrFPLbWZW/7TFXVrql04QVbyei4aiFR5n//GvoqwQDNe58LmbzX/xvxyKJYdny2zXmdAhMxbrpFQsfpkJ9E/H5w0yOdSvnWbUoG5xNGoOB csmith@fringe # ssh-import-id lp:chad.smith"
EOF
$ lxc launch ubuntu-daily:bionic ssh-b -c user.user-data="$(cat sshd_bad_parse.yaml)"
$ lxc exec ssh-b -- python3 -c 'from cloudinit.ssh_util import parse_ssh_config_map; print(parse_ssh_config_map("/etc/ssh/sshd_config")["authorizedkeysfile"])'
.ssh/unique_ubuntu_keyfile
# Expected global authorizedkeysfile config to be
.ssh/authorized_keys
References:
[1] simple sshd_config key value parsing https://github.com/canonical/cloud-init/blob/main/cloudinit/ssh_util.py#L332-L339
To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-init/+bug/1935857/+subscriptions
Follow ups