Multiple file fix for AuthorizedKeysFile config#60
Conversation
Currently cloud-init does not know how to handle multiple file configuration on section AuthorizedKeysFile of ssh configuration. cloud-init will mess up the home user directory by creating bogus folders inside it. This patch provides a fix for this erroneous behavior. It gathers all keys from all the files listed on the section AuthorizedKeysFile of ssh configuration and merge all of them inside home user ~/.ssh/authorized_keys of the vm deployed. Signed-off-by: Eduardo Otubo <otubo@redhat.com>
|
@otubo see what you think of this. It makes testing much easier. |
|
@otubo The big change is using mock to patch pwent with a namedtuple, which is just less code than the whole fake distro. I don't want you to feel like I'm taking this over or telling you you have to do it like so... I'm just trying to help, because I appreciate your work and know how frustrating it can be when someone asks you to add tests or refactor code. |
No, please, I really do appreciate all the help. I applied your patche on top of mine and it looks a lot better. Thanks. |
This adds render_authorizedkeysfile_paths which does not require any interaction with OS. It is then much easier to test it. The 4 added tests give pretty good coverage of the new code. Note, I had to comment out the 'dist.create_user' call as it was actually trying to create a user.
smoser
left a comment
smoser
left a comment
There was a problem hiding this comment.
I'm ok with this at this point. but I would like review from someone else also.
I think TestMultipleSshAuthorizedKeysFile could use some more tests... the coverage report will probably tell us where we're not testing. I don't think we probaly end up testing the 'default_authorized_file' path.
If no one else is able to take a look, I'd be fine to mark approve.
raharper
left a comment
raharper
left a comment
There was a problem hiding this comment.
Thanks for updating. Is there a downstream or upstream cloud-init bug that tracked this issue?
| if not value.startswith("/"): | ||
| value = os.path.join(homedir, value) | ||
| return value | ||
| paths = re.split(r'(?<!\\) ', value) |
There was a problem hiding this comment.
Could we get a comment here to explain what the regex is achieving?
There was a problem hiding this comment.
@otubo can you add the above and then we can land this?
There was a problem hiding this comment.
I think we may be able to just use split() now. @otubo was trying to account for escaping spaces in sshd_config to account for spaces in paths, but I think reality is they are just not supported.
So, the right solution might just be to use split().
There was a problem hiding this comment.
That's exactly what I was aiming for, as @smoser mentioned.
I'm gonna replace it and push again.
There was a problem hiding this comment.
Also, this is the bugzilla for that: https://bugzilla.redhat.com/show_bug.cgi?id=1642008
smoser
left a comment
smoser
left a comment
There was a problem hiding this comment.
I added 'Resolves: rhbz#1642008' to the description.
Not sure if that is how we are doing things on github or not.
I'm fine happy with this PR at this point.
Thank you, Eduardo.
Currently cloud-init does not know how to handle multiple file configuration on section AuthorizedKeysFile of ssh configuration. cloud-init will mess up the home user directory by creating bogus folders inside it. This patch provides a fix for this erroneous behavior. It gathers all keys from all the files listed on the section AuthorizedKeysFile of ssh configuration and merge all of them inside home user ~/.ssh/authorized_keys of the vm deployed. Signed-off-by: Eduardo Otubo <otubo@redhat.com>
This reverts commit f1094b1a539044c0193165a41501480de0f8df14. See canonical/cloud-init#60.
|
Sorry I'm a bit late to the party here, I've just seen this change as it has made it to the Ubuntu package. I'm planning to open a PR if needed, but I have a few questions first. Regarding the idea of copying the keys from all the files in AuthorizedKeysFile into the "default_authorizedkeys_file", why are we doing this? From what I understand the main reason why we are copying things around in the first place is because we want to write new keys into a file that is processed by sshd. As such, wouldn't it make more sense to only take the keys from the first file in AuthorizedKeysFile, then add the new keys to those and write them back into the same file. I think copying keys from all the files into a single file would not be a behavior that people would expect. Regarding the new tests, was it intended that the only difference between |
@pzakha I agree that this doesn't sound like the ideal behaviour; could you file a bug with this (at https://bugs.launchpad.net/cloud-init/+filebug), so we can discuss (and address) it? |
|
Looks like configurations similar to #149: now are completely broken.... |
The following commit merged all ssh keys into a default user file "~/.ssh/authorized_keys" in sshd_config had multiple files configured for AuthorizedKeysFile: commit f1094b1 Author: Eduardo Otubo <otubo@redhat.com> Date: Thu Dec 5 17:37:35 2019 +0100 Multiple file fix for AuthorizedKeysFile config (canonical#60) This commit ignored the case when sshd_config would have a single file for AuthorizedKeysFile, but a non default configuration, for example "~/.ssh/authorized_keys_foobar". In this case cloud-init would grab all keys from this file and write a new one, the default "~/.ssh/authorized_keys" causing the bug. rhbz: #1862967 Signed-off-by: Eduardo Otubo <otubo@redhat.com>
The following commit merged all ssh keys into a default user file `~/.ssh/authorized_keys` in sshd_config had multiple files configured for AuthorizedKeysFile: commit f1094b1 Author: Eduardo Otubo <otubo@redhat.com> Date: Thu Dec 5 17:37:35 2019 +0100 Multiple file fix for AuthorizedKeysFile config (#60) This commit ignored the case when sshd_config would have a single file for AuthorizedKeysFile, but a non default configuration, for example `~/.ssh/authorized_keys_foobar`. In this case cloud-init would grab all keys from this file and write a new one, the default `~/.ssh/authorized_keys` causing the bug. rhbz: #1862967 Signed-off-by: Eduardo Otubo <otubo@redhat.com>
7 participants
Currently cloud-init does not know how to handle multiple file
configuration on section AuthorizedKeysFile of ssh configuration.
cloud-init will mess up the home user directory by creating bogus
folders inside it.
This patch provides a fix for this erroneous behavior. It gathers all
keys from all the files listed on the section AuthorizedKeysFile of ssh
configuration and merge all of them inside home user
~/.ssh/authorized_keys of the vm deployed.
Resolves: rhbz#1642008
Signed-off-by: Eduardo Otubo otubo@redhat.com