From ab16a7b242b1214581bbadcbd7cc979f6f17c43f Mon Sep 17 00:00:00 2001 From: Michael Rommel Date: Mon, 14 Mar 2022 16:16:09 +0100 Subject: [PATCH 1/2] Expose https_proxy env variable to ssh-import-id cmd The import of ssh keys for users does not work in corporate networks behind proxies. The ssh-import-id command does not support cmd line arguments or other configurations for specifying a proxy. The sudo command in the module executes the ssh-import-id command directly, so any proxy settings of shells will not work. The only option would be either to specify the proxy setting on the command line, but this wouldn't be easily user editable. So the only solution is to selectively forward any already set https_proxy variable to the executed command. Since only one env variable is used and forwarded, the security impact should be acceptable. --- cloudinit/config/cc_ssh_import_id.py | 2 +- tools/.github-cla-signers | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/cloudinit/config/cc_ssh_import_id.py b/cloudinit/config/cc_ssh_import_id.py index a9575c596fa..8eabbe56b01 100755 --- a/cloudinit/config/cc_ssh_import_id.py +++ b/cloudinit/config/cc_ssh_import_id.py @@ -100,7 +100,7 @@ def import_ssh_ids(ids, user, log): except KeyError as exc: raise exc - cmd = ["sudo", "-Hu", user, "ssh-import-id"] + ids + cmd = ["sudo", "--preserve-env=https_proxy -Hu", user, "ssh-import-id"] + ids log.debug("Importing SSH ids for user %s.", user) try: diff --git a/tools/.github-cla-signers b/tools/.github-cla-signers index e205d6ea327..18eb2d8e498 100644 --- a/tools/.github-cla-signers +++ b/tools/.github-cla-signers @@ -59,6 +59,7 @@ marlluslustosa matthewruffell maxnet megian +michaelrommel mitechie nazunalika nicolasbock From 16baaa8f0cd56a1803ebf29c780c8ce381cbbfe9 Mon Sep 17 00:00:00 2001 From: James Falcon Date: Mon, 4 Apr 2022 13:34:14 -0500 Subject: [PATCH 2/2] Add todo comment and fix arg list --- cloudinit/config/cc_ssh_import_id.py | 33 +++++++++++++++++++++++++++- 1 file changed, 32 insertions(+), 1 deletion(-) diff --git a/cloudinit/config/cc_ssh_import_id.py b/cloudinit/config/cc_ssh_import_id.py index 8eabbe56b01..a54e8e47182 100755 --- a/cloudinit/config/cc_ssh_import_id.py +++ b/cloudinit/config/cc_ssh_import_id.py @@ -100,7 +100,38 @@ def import_ssh_ids(ids, user, log): except KeyError as exc: raise exc - cmd = ["sudo", "--preserve-env=https_proxy -Hu", user, "ssh-import-id"] + ids + # TODO: We have a use case that involes setting a proxy value earlier + # in boot and the user wants this env used when using ssh-import-id. + # E.g.,: + # bootcmd: + # - mkdir -p /etc/systemd/system/cloud-config.service.d + # - mkdir -p /etc/systemd/system/cloud-final.service.d + # write_files: + # - content: | + # http_proxy=http://192.168.1.2:3128/ + # https_proxy=http://192.168.1.2:3128/ + # path: /etc/cloud/env + # - content: | + # [Service] + # EnvironmentFile=/etc/cloud/env + # PassEnvironment=https_proxy http_proxy + # path: /etc/systemd/system/cloud-config.service.d/override.conf + # - content: | + # [Service] + # EnvironmentFile=/etc/cloud/env + # PassEnvironment=https_proxy http_proxy + # path: /etc/systemd/system/cloud-final.service.d/override.conf + # + # I'm including the `--preserve-env` here as a one-off, but we should + # have a better way of setting env earlier in boot and using it later. + # Perhaps a 'set_env' module? + cmd = [ + "sudo", + "--preserve-env=https_proxy", + "-Hu", + user, + "ssh-import-id", + ] + ids log.debug("Importing SSH ids for user %s.", user) try: