cloud-init icon indicating copy to clipboard operation
cloud-init copied to clipboard
verified publisher icon canonical

SSH key options are not respected when user is root

Open ubuntu-server-builder opened this issue 2 years ago • 5 comments

This bug was originally filed in Launchpad as LP: #1924614

Launchpad details 
affected_projects = []
assignee = None
assignee_name = None
date_closed = None
date_created = 2021-04-15T21:17:34.442043+00:00
date_fix_committed = None
date_fix_released = None
id = 1924614
importance = low
is_complete = False
lp_url = https://bugs.launchpad.net/cloud-init/+bug/1924614
milestone = None
owner = emptystring
owner_name = Tris Emmy Wilson
private = False
status = triaged
submitter = emptystring
submitter_name = Tris Emmy Wilson
tags = []
duplicates = []

Launchpad user Tris Emmy Wilson(emptystring) wrote on 2021-04-15T21:17:34.442043+00:00

In user data, if "user" is set to "root" and "ssh_authorized_keys" are set, any SSH key options are ignored. For example, with the following:

user: root
ssh_authorized_keys:
  - cert-authority,principals="globalroot" ssh-ed25519 SomeEd25519Key Global User Issuing CA

...the following ends up in ~root/.ssh/authorized_keys:

ssh-ed25519 SomeEd25519Key Global User Issuing CA

However, the SSH key options are respected when "user" is not set to root.

I think, but am not sure, that this is due to an oversight in the apply_credentials method in cc_ssh.py. In this snippet:

if disable_root:                                             
    if not user:                                             
        user = "NONE"                                        
    key_prefix = disable_root_opts.replace('$USER', user)    
    key_prefix = key_prefix.replace('$DISABLE_USER', 'root') 
else:                                                        
    key_prefix = ''

"key_prefix" being set to the empty string causes "ssh_util.setup_user_keys" to pass a non-None value to AuthKeyLineParser.parse, causing it to ignore the options set on the key in favor of the empty string. I think setting "key_prefix = None" here may fix the problem but don't know enough about the cloud-init development process + what the security implications of this might be.

I'm testing in a Proxmox 6 environment using the Debian 10 OpenStack cloud-init image.

ubuntu-server-builder avatar May 12 '23 12:05 ubuntu-server-builder

Launchpad user Tris Emmy Wilson(emptystring) wrote on 2021-04-15T21:17:34.442043+00:00

Launchpad attachments: cloud-init collect-logs output

ubuntu-server-builder avatar May 12 '23 12:05 ubuntu-server-builder

Launchpad user Paride Legovini(paride) wrote on 2021-04-16T16:04:50.569726+00:00

Hello Tris and thanks for your bug report. I agree with your findings and could reproduce the issue. The fact that key_prefix is set to the empty string is likely to be the culprit, as you found out already.

ubuntu-server-builder avatar May 12 '23 12:05 ubuntu-server-builder

Launchpad user Tris Emmy Wilson(emptystring) wrote on 2021-04-17T04:46:58.958907+00:00

I submitted a PR fixing this: https://github.com/canonical/cloud-init/pull/871

ubuntu-server-builder avatar May 12 '23 12:05 ubuntu-server-builder

Launchpad user shixuantong(sxt1001) wrote on 2022-12-11T04:08:26.266927+00:00

I find that the preceding solution is not merged and has been automatically closed. Can you submit it again?

ubuntu-server-builder avatar May 12 '23 12:05 ubuntu-server-builder

I can reproduce this with the latest copr test build linked in the readme, which is version 23.4+114.g180da9ba-1.el9 and with 25.1 built from source.

Derkades avatar Feb 24 '25 13:02 Derkades