yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1935857] Re: cc_ssh: parse_ssh_config_map does not take into account user-specific Match section overrides

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: James Falcon <1935857@xxxxxxxxxxxxxxxxxx>
Date: Fri, 12 May 2023 13:58:22 -0000
Reply-to: Bug 1935857 <1935857@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx

Tracked in Github Issues as https://github.com/canonical/cloud-
init/issues/3889

** Bug watch added: github.com/canonical/cloud-init/issues #3889
   https://github.com/canonical/cloud-init/issues/3889

** Changed in: cloud-init
       Status: Triaged => Expired

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to cloud-init.
https://bugs.launchpad.net/bugs/1935857

Title:
  cc_ssh: parse_ssh_config_map does not take into account user-specific
  Match section overrides

Status in cloud-init:
  Expired

Bug description:
  cloud-init 21.2

  User-specific Match sections can be provided in /etc/ssh/sshd_config
  to override global ssh config default settings such as
  AuthorizedKeysFile.

  
  cloud-init's parsing of sshd_config in ssh_util[1]  is simplistic and treats each line in the sshd_config file as simple key/value pairs. Any Match sections defined below a global AuthorizedKeysFile setting will be overridden to the line containing an AuthorizedKeysFile definition, even if that definition should only be scoped to a specific user Match.

  
  Here is an example adding a specific Match section which should only apply non-default AuthorizedKeysFile to the "custom" user, and how cloud-init incorrectly represents that content.

  $ cat sshd_bad_parse.yaml <<EOF
  #cloud-config
  write_files:
   - path: /etc/ssh/sshd_config
     content: |
        AuthorizedKeysFile: .ssh/authorized_keys
        # Inject custom user-specific match which should only affect custom user
        Match User custom
          AuthorizedKeysFile      .ssh/unique_ubuntu_keyfile
     append: true
  users:
   - default
   - name: custom
     sudo: false
     ssh_authorized_keys: 
     - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDSL7uWGj8cgWyIOaspgKdVy0cKJ+UTjfv7jBOjG2H/GN8bJVXy72XAvnhM0dUM+CCs8FOf0YlPX+Frvz2hKInrmRhZVwRSL129PasD12MlI3l44u6IwS1o/W86Q+tkQYEljtqDOo0a+cOsaZkvUNzUyEXUwz/lmYa6G4hMKZH4NBj7nbAAF96wsMCoyNwbWryBnDYUr6wMbjRR1J9Pw7Xh7WRC73wy4Va2YuOgbD3V/5ZrFPLbWZW/7TFXVrql04QVbyei4aiFR5n//GvoqwQDNe58LmbzX/xvxyKJYdny2zXmdAhMxbrpFQsfpkJ9E/H5w0yOdSvnWbUoG5xNGoOB csmith@fringe # ssh-import-id lp:chad.smith"
  EOF
  $ lxc launch ubuntu-daily:bionic ssh-b -c user.user-data="$(cat sshd_bad_parse.yaml)"

  $ lxc exec ssh-b -- python3 -c 'from cloudinit.ssh_util import parse_ssh_config_map; print(parse_ssh_config_map("/etc/ssh/sshd_config")["authorizedkeysfile"])'
  .ssh/unique_ubuntu_keyfile

  # Expected global authorizedkeysfile config to be
  .ssh/authorized_keys

  
  References:
  [1] simple sshd_config key value parsing https://github.com/canonical/cloud-init/blob/main/cloudinit/ssh_util.py#L332-L339

To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-init/+bug/1935857/+subscriptions

References

[Bug 1935857] [NEW] cc_ssh: parse_ssh_config_map does not take into account user-specific Match section overrides
From: Chad Smith, 2021-07-12