Bug 1918677: templates: use valid binary in AuthorizedKeysCommand by vrutkovs · Pull Request #2355 · openshift/machine-config-operator

vrutkovs · 2021-01-21T10:57:40Z

Setting AuthorizedKeysCommand with invalid path breaks ssh on hosts:

Jan 21 10:55:36 ip-10-0-137-119 sshd[130647]: error: AuthorizedKeysCommand path is not absolute
Jan 21 10:55:36 ip-10-0-137-119 sshd[130647]: Connection closed by authenticating user core 10.0.188.12 port 41306 [preauth]

This PR would set it to /bin/true

Reverts #2087

vrutkovs · 2021-01-21T10:58:08Z

/cc @LorbusChris

openshift-ci-robot · 2021-01-21T11:00:50Z

@vrutkovs: This pull request references Bugzilla bug 1918677, which is valid. The bug has been moved to the POST state. The bug has been updated to refer to the pull request using the external bug tracker.

3 validation(s) were run on this bug

bug is open, matching expected state (open)
bug target release (4.7.0) matches configured target release for branch (4.7.0)
bug is in the state NEW, which is one of the valid states (NEW, ASSIGNED, ON_DEV, POST, POST)

Details

In response to this:

Bug 1918677: Revert "templates: Disable SSH keys lookup from authorized_keys.d on FCOS"

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

vrutkovs · 2021-01-21T13:27:46Z

/retest

sinnykumari · 2021-01-21T13:35:42Z

was it always broken or any recent FCOS update caused it?

vrutkovs · 2021-01-21T13:38:03Z

was it always broken or any recent FCOS update caused it?

Always was broken, but we didn't get a chance to properly identify it :/

sinnykumari · 2021-01-21T14:40:50Z

/approve

LorbusChris · 2021-01-21T14:55:36Z

I don't think we want to remove that snippet entirely, since we still want to disable lookup from the authorized_keys.d dir.
Can the none command be replaced by a valid no-op command, e.g. /usr/bin/false?

/cc @bgilbert

vrutkovs · 2021-01-21T14:58:29Z

Not sure why, but ssh'ing to masters from workers worked when I removed that setting (via oc debug node/...)

bgilbert · 2021-01-21T17:40:02Z

Yeah, I'd try setting it to /bin/true instead.

openshift-ci-robot · 2021-01-21T17:53:18Z

@vrutkovs: This pull request references Bugzilla bug 1918677, which is valid.

3 validation(s) were run on this bug

bug is open, matching expected state (open)
bug target release (4.7.0) matches configured target release for branch (4.7.0)
bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, ON_DEV, POST, POST)

Details

In response to this:

Bug 1918677: Revert "templates: Disable SSH keys lookup from authorized_keys.d on FCOS"

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

vrutkovs · 2021-01-21T17:53:22Z

okay, updated, PTAL

kikisdeliveryservice · 2021-01-21T19:42:06Z

hi @vrutkovs !

do we expect that okd-e2e-aws test to pass, looking at past runs it seems kind of flaky right?

vrutkovs · 2021-01-21T19:45:10Z

do we expect that okd-e2e-aws test to pass, looking at past runs it seems kind of flaky right?

It should pass, yeah, must be flakes. This change doesn't affect e2e tests, just helps us debug failures.

/retest

vrutkovs · 2021-01-21T23:45:51Z

/retest

bgilbert · 2021-01-21T23:49:05Z

Content LGTM. Commit message and PR title need an update.

kikisdeliveryservice · 2021-01-22T00:35:40Z

Content LGTM. Commit message and PR title need an update.

agree with @bgilbert 👍 hold so can be fixed

/hold

sshd_config dropin requires a valid binary to be used in AuthorizedKeysCommand

vrutkovs · 2021-01-22T13:26:16Z

/retest

vrutkovs · 2021-01-22T19:17:29Z

/retest

bgilbert · 2021-01-22T20:16:55Z

/approve

openshift-ci-robot · 2021-01-22T20:18:15Z

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: bgilbert, sinnykumari, vrutkovs

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

~~OWNERS~~ [sinnykumari]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

vrutkovs · 2021-01-26T06:57:39Z

/retest

vrutkovs · 2021-01-31T14:39:44Z

/retest

LorbusChris · 2021-02-01T13:01:13Z

/retest

LorbusChris · 2021-02-01T19:13:47Z

  inline: |
    # disable key lookup from ~/.ssh/authorized_keys.d/ on FCOS
-    AuthorizedKeysCommand none
+    AuthorizedKeysCommand /bin/true


can you try explicitly setting it to nil/empty?

Suggested change

AuthorizedKeysCommand /bin/true

AuthorizedKeysCommand

this should re-instate the default

openshift-bot · 2021-05-02T19:18:12Z

Issues go stale after 90d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle stale

openshift-ci · 2021-05-21T17:28:15Z

@vrutkovs: The following tests failed, say /retest to rerun all failed tests:

Test name	Commit	Details	Rerun command
ci/prow/e2e-aws-workers-rhel7	`5a913ec`	link	`/test e2e-aws-workers-rhel7`
ci/prow/okd-e2e-aws	`5a913ec`	link	`/test okd-e2e-aws`
ci/prow/e2e-aws-serial	`5a913ec`	link	`/test e2e-aws-serial`

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

openshift-bot · 2021-06-20T23:12:58Z

Stale issues rot after 30d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.
Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle rotten
/remove-lifecycle stale

openshift-bot · 2021-07-21T01:59:22Z

Rotten issues close after 30d of inactivity.

Reopen the issue by commenting /reopen.
Mark the issue as fresh by commenting /remove-lifecycle rotten.
Exclude this issue from closing again by commenting /lifecycle frozen.

/close

openshift-ci · 2021-07-21T01:59:30Z

@openshift-bot: Closed this PR.

Details

In response to this:

Rotten issues close after 30d of inactivity.

Reopen the issue by commenting /reopen.
Mark the issue as fresh by commenting /remove-lifecycle rotten.
Exclude this issue from closing again by commenting /lifecycle frozen.

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

openshift-ci · 2021-07-21T01:59:38Z

@vrutkovs: This pull request references Bugzilla bug 1918677. The bug has been updated to no longer refer to the pull request using the external bug tracker. All external bug links have been closed. The bug has been moved to the NEW state.

Details

In response to this:

Bug 1918677: templates: use valid binary in AuthorizedKeysCommand

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

openshift-ci-robot requested review from darkmuggle and sinnykumari January 21, 2021 10:57

openshift-ci-robot requested a review from LorbusChris January 21, 2021 10:58

vrutkovs changed the title ~~Revert "templates: Disable SSH keys lookup from authorized_keys.d on FCOS"~~ Bug 1918677: Revert "templates: Disable SSH keys lookup from authorized_keys.d on FCOS" Jan 21, 2021

openshift-ci-robot added bugzilla/severity-medium Referenced Bugzilla bug's severity is medium for the branch this PR is targeting. bugzilla/valid-bug Indicates that a referenced Bugzilla bug is valid for the branch this PR is targeting. labels Jan 21, 2021

openshift-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jan 21, 2021

openshift-ci-robot requested a review from bgilbert January 21, 2021 14:55

vrutkovs force-pushed the revert-2087-rm-ssh-fragments branch from 626e62a to 5fe1599 Compare January 21, 2021 17:53

openshift-ci-robot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Jan 22, 2021

templates: use valid binary in AuthorizedKeysCommand

5a913ec

sshd_config dropin requires a valid binary to be used in AuthorizedKeysCommand

vrutkovs force-pushed the revert-2087-rm-ssh-fragments branch from 5fe1599 to 5a913ec Compare January 22, 2021 09:00

vrutkovs changed the title ~~Bug 1918677: Revert "templates: Disable SSH keys lookup from authorized_keys.d on FCOS"~~ Bug 1918677: templates: use valid binary in AuthorizedKeysCommand Jan 22, 2021

vrutkovs force-pushed the revert-2087-rm-ssh-fragments branch from 9cc9d68 to 5a913ec Compare January 26, 2021 20:05

LorbusChris reviewed Feb 1, 2021

View reviewed changes

openshift-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label May 2, 2021

openshift-ci Bot added lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. and removed lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. labels Jun 20, 2021

openshift-ci Bot closed this Jul 21, 2021

lucab mentioned this pull request Dec 29, 2021

AuthorizedKeysCommand path is not absolute coreos/fedora-coreos-tracker#1056

Closed

Conversation

vrutkovs commented Jan 21, 2021 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

vrutkovs commented Jan 21, 2021

Uh oh!

openshift-ci-robot commented Jan 21, 2021

Uh oh!

vrutkovs commented Jan 21, 2021

Uh oh!

sinnykumari commented Jan 21, 2021

Uh oh!

vrutkovs commented Jan 21, 2021

Uh oh!

sinnykumari commented Jan 21, 2021

Uh oh!

LorbusChris commented Jan 21, 2021

Uh oh!

vrutkovs commented Jan 21, 2021

Uh oh!

bgilbert commented Jan 21, 2021

Uh oh!

openshift-ci-robot commented Jan 21, 2021

Uh oh!

vrutkovs commented Jan 21, 2021

Uh oh!

kikisdeliveryservice commented Jan 21, 2021

Uh oh!

vrutkovs commented Jan 21, 2021

Uh oh!

vrutkovs commented Jan 21, 2021

Uh oh!

bgilbert commented Jan 21, 2021

Uh oh!

kikisdeliveryservice commented Jan 22, 2021 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

vrutkovs commented Jan 22, 2021

Uh oh!

vrutkovs commented Jan 22, 2021

Uh oh!

bgilbert commented Jan 22, 2021

Uh oh!

openshift-ci-robot commented Jan 22, 2021

Uh oh!

vrutkovs commented Jan 26, 2021

Uh oh!

vrutkovs commented Jan 31, 2021

Uh oh!

LorbusChris commented Feb 1, 2021

Uh oh!

LorbusChris Feb 1, 2021

Choose a reason for hiding this comment

Uh oh!

LorbusChris Feb 1, 2021

Choose a reason for hiding this comment

Uh oh!

openshift-bot commented May 2, 2021

Uh oh!

openshift-ci Bot commented May 21, 2021

Uh oh!

openshift-bot commented Jun 20, 2021

Uh oh!

openshift-bot commented Jul 21, 2021

Uh oh!

openshift-ci Bot commented Jul 21, 2021

Uh oh!

openshift-ci Bot commented Jul 21, 2021

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

7 participants

vrutkovs commented Jan 21, 2021 •

edited

Loading

kikisdeliveryservice commented Jan 22, 2021 •

edited

Loading