yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1915772] Re: config-ssh module doesn't respect Match conditions in sshd_config

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: James Falcon <1915772@xxxxxxxxxxxxxxxxxx>
Date: Fri, 12 May 2023 11:58:49 -0000
Reply-to: Bug 1915772 <1915772@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx

Tracked in Github Issues as https://github.com/canonical/cloud-
init/issues/3842

** Bug watch added: github.com/canonical/cloud-init/issues #3842
   https://github.com/canonical/cloud-init/issues/3842

** Changed in: cloud-init
       Status: Triaged => Expired

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to cloud-init.
https://bugs.launchpad.net/bugs/1915772

Title:
  config-ssh module doesn't respect Match conditions in sshd_config

Status in cloud-init:
  Expired

Bug description:
  Summary
  Per https://www.freebsd.org/cgi/man.cgi?sshd_config(5)

  Match Introduces a conditional block. If all of the criteria on the Match line are satisfied, the keywords on the
  following lines override those set in the global section of the config file, until either anotherMatch line or the end of the
  file. If a keyword appears in multiple Match blocks that are satisfied, only the first instance of the keyword is applied.

  Say I have a Match setup for a group to use a special location of an
  AuthorizedKeysFile, basically to move this out of the homedir these
  restricted users are jailed in.

  Match Group my-special-group
      AuthorizedKeysFile  /etc/ssh/authorized_keys/%u
  Relevant Code:
  https://github.com/canonical/cloud-init/blob/09193e5141ca45b822617399047204abd701047e/cloudinit/ssh_util.py#L274
  and ultimately lies in the implementation at
  https://github.com/canonical/cloud-init/blob/09193e5141ca45b822617399047204abd701047e/cloudinit/ssh_util.py#L344

  the way parse_ssh_config_map parses the file, the last
  AuthorizedKeysFile entry wins. I suggest just stop reading the file if
  you get to a Match stanza (either here or in parse_ssh_config_lines).
  If you get really fancy, you could see if the username you're looking
  up is under an explicit Match User ec2-user stanza. But as it is now,
  it's an all-or-nothing where my AuthorizedKeysFile wins.

  Process
  Setup an sshd_config utilizing a Match option, like

  Match Group my-special-group
      AuthorizedKeysFile  /etc/ssh/authorized_keys/%u
  and then have cloud-init do it's ssh configuration

  Current and expected result
  Current: the last AuthorizedKeysFile statement wins, regardless if it's at the global level or underneath a Match
  Expected: cloud-init only respects the globally defined AuthorizedKeysFile, or falls back to the standard homedir location

  Screenshot
  n/a

To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-init/+bug/1915772/+subscriptions

References

[Bug 1915772] [NEW] config-ssh module doesn't respect Match conditions in sshd_config
From: Emmanuel Yiannakakis, 2021-02-16