From bb77f84d9d69b3c0800a855a09d092d3b911988f Mon Sep 17 00:00:00 2001 From: Eduardo Otubo Date: Thu, 24 Sep 2020 14:12:09 +0200 Subject: [PATCH 1/3] Change default authorizedkeys file The following commit merged all ssh keys into a default user file "~/.ssh/authorized_keys" in sshd_config had multiple files configured for AuthorizedKeysFile: commit f1094b1a539044c0193165a41501480de0f8df14 Author: Eduardo Otubo Date: Thu Dec 5 17:37:35 2019 +0100 Multiple file fix for AuthorizedKeysFile config (#60) This commit ignored the case when sshd_config would have a single file for AuthorizedKeysFile, but a non default configuration, for example "~/.ssh/authorized_keys_foobar". In this case cloud-init would grab all keys from this file and write a new one, the default "~/.ssh/authorized_keys" causing the bug. rhbz: #1862967 Signed-off-by: Eduardo Otubo --- cloudinit/ssh_util.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/cloudinit/ssh_util.py b/cloudinit/ssh_util.py index c08042d6ff0..bb1a745f9fd 100644 --- a/cloudinit/ssh_util.py +++ b/cloudinit/ssh_util.py @@ -267,8 +267,8 @@ def extract_authorized_keys(username, sshd_cfg_file=DEF_SSHD_CFG): "config from %r, using 'AuthorizedKeysFile' file " "%r instead", DEF_SSHD_CFG, auth_key_fns[0]) - # always store all the keys in the user's private file - return (default_authorizedkeys_file, parse_authorized_keys(auth_key_fns)) + # always store all the keys in the first file configured on sshd_config + return (auth_key_fns[0], parse_authorized_keys(auth_key_fns)) def setup_user_keys(keys, username, options=None): From 00de89c3a1761f3ba202ece7b58a13e789c518f5 Mon Sep 17 00:00:00 2001 From: Eduardo Otubo Date: Thu, 24 Sep 2020 17:36:40 +0200 Subject: [PATCH 2/3] Fix TestMultipleSshAuthorizedKeysFile --- tests/unittests/test_sshutil.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tests/unittests/test_sshutil.py b/tests/unittests/test_sshutil.py index fd1d1baca71..88a111e3752 100644 --- a/tests/unittests/test_sshutil.py +++ b/tests/unittests/test_sshutil.py @@ -593,7 +593,7 @@ def test_multiple_authorizedkeys_file_order1(self, m_getpwnam): fpw.pw_name, sshd_config) content = ssh_util.update_authorized_keys(auth_key_entries, []) - self.assertEqual("%s/.ssh/authorized_keys" % fpw.pw_dir, auth_key_fn) + self.assertEqual(authorized_keys, auth_key_fn) self.assertTrue(VALID_CONTENT['rsa'] in content) self.assertTrue(VALID_CONTENT['dsa'] in content) @@ -610,7 +610,7 @@ def test_multiple_authorizedkeys_file_order2(self, m_getpwnam): sshd_config = self.tmp_path('sshd_config') util.write_file( sshd_config, - "AuthorizedKeysFile %s %s" % (authorized_keys, user_keys) + "AuthorizedKeysFile %s %s" % (user_keys, authorized_keys) ) (auth_key_fn, auth_key_entries) = ssh_util.extract_authorized_keys( @@ -618,7 +618,7 @@ def test_multiple_authorizedkeys_file_order2(self, m_getpwnam): ) content = ssh_util.update_authorized_keys(auth_key_entries, []) - self.assertEqual("%s/.ssh/authorized_keys" % fpw.pw_dir, auth_key_fn) + self.assertEqual(user_keys, auth_key_fn) self.assertTrue(VALID_CONTENT['rsa'] in content) self.assertTrue(VALID_CONTENT['dsa'] in content) From 7ad8c496931260f3d07e67abf461a762c437832f Mon Sep 17 00:00:00 2001 From: Eduardo Otubo Date: Thu, 1 Oct 2020 16:16:31 +0200 Subject: [PATCH 3/3] Fix assignment on empty array. --- cloudinit/ssh_util.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cloudinit/ssh_util.py b/cloudinit/ssh_util.py index bb1a745f9fd..d5113996c81 100644 --- a/cloudinit/ssh_util.py +++ b/cloudinit/ssh_util.py @@ -262,7 +262,7 @@ def extract_authorized_keys(username, sshd_cfg_file=DEF_SSHD_CFG): except (IOError, OSError): # Give up and use a default key filename - auth_key_fns[0] = default_authorizedkeys_file + auth_key_fns.append(default_authorizedkeys_file) util.logexc(LOG, "Failed extracting 'AuthorizedKeysFile' in SSH " "config from %r, using 'AuthorizedKeysFile' file " "%r instead", DEF_SSHD_CFG, auth_key_fns[0])