← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #87452

[Bug 1917817] Re: sshd_config authorizedkeysfile setting is not honored after v18.5

  Thread PreviousDate PreviousThread Next 
This issue should be fixed with https://github.com/canonical/cloud-
init/pull/956 along with the other PRs/bugs referenced in that PR.

** Changed in: cloud-init
       Status: Triaged => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to cloud-init.
https://bugs.launchpad.net/bugs/1917817

Title:
  sshd_config authorizedkeysfile setting is not honored after v18.5

Status in cloud-init:
  Fix Released

Bug description:
  1. Cloud Provider: AWS
  2. The only non-default settings we have are:

  runcmd:
   - [ /bin/chmod, 755, /etc/ssh/auth_keys ]

  system_info:
    distro: rhel
    default_user:
      name: ec2-user
      lock_passwd: true
      gecos: EC2 Default User
      groups: [ wheel, adm, systemd-journald ]
      sudo: [ "ALL=(ALL) NOPASSWD:ALL" ]
      shell: /bin/bash
    paths:
      cloud_dir: /var/lib/cloud
      templates_dir: /etc/cloud/templates
    ssh_svcname: sshd

  
  # Relevant setting from /etc/ssh/sshd_config:
  AuthorizedKeysFile /etc/ssh/auth_keys/%u

  3. Unfortunately, policies do not allow me to upload logs but I will
  try describe the problem below.

  I am using RHEL version of cloud-init and between RHEL version upgrades ssh keys stopped working on 
  EC2. We had no config changes to cloud-init but cloud-init version got upgraded from 18.5 to 19.4

  Our investigation showed that authorizedkeysfile in our sshd_config
  (/etc/ssh/auth_keys/%u) does not get populated when cloud-init is run.
  Instead, it populates the default user's .ssh directory at
  /home/{user}/.ssh/authorized_keys.

  I also tested with RHEL 8.3 and the same problem exists there as well.
  OS       | rpm version                         | Status
  RHEL 7.7 | cloud-init-18.5-6.el7.x86_64        | OK
  RHEL 7.9 | cloud-init-19.4-7.el7_9.2.x86_64    | Problem
  RHEL 8.3 | cloud-init-19.4-11.el8_3.1.noarch   | Problem

  As a side note, older RHEL 7.5 also works fine, which led me to
  believe problem was introduced either in 19.1 or in 19.4 update.

  Looking into code-base, ssh_util changes looked like a suspect to me
  but I did not see any tests for ssh_util so I am not sure where
  exactly the problem is or what the function outputs are.

  Any thoughts?

To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-init/+bug/1917817/+subscriptions

References

  Thread PreviousDate PreviousThread Next