<feed xmlns='http://www.w3.org/2005/Atom'>
<title>vyos-cloud-init.git/cloudinit/ssh_util.py, branch sagitta-public-unmaintained</title>
<subtitle> (mirror of https://github.com/vyos/vyos-cloud-init.git)
</subtitle>
<id>https://git.amelek.net/vyos/vyos-cloud-init.git/atom?h=sagitta-public-unmaintained</id>
<link rel='self' href='https://git.amelek.net/vyos/vyos-cloud-init.git/atom?h=sagitta-public-unmaintained'/>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-cloud-init.git/'/>
<updated>2021-12-16T02:16:38+00:00</updated>
<entry>
<title>Adopt Black and isort (SC-700) (#1157)</title>
<updated>2021-12-16T02:16:38+00:00</updated>
<author>
<name>James Falcon</name>
<email>james.falcon@canonical.com</email>
</author>
<published>2021-12-16T02:16:38+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-cloud-init.git/commit/?id=bae9b11da9ed7dd0b16fe5adeaf4774b7cc628cf'/>
<id>urn:sha1:bae9b11da9ed7dd0b16fe5adeaf4774b7cc628cf</id>
<content type='text'>
Applied Black and isort, fixed any linting issues, updated tox.ini
and CI.
</content>
</entry>
<entry>
<title>ssh_utils.py: ignore when sshd_config options are not key/value pairs (#1007)</title>
<updated>2021-09-08T00:08:36+00:00</updated>
<author>
<name>Emanuele Giuseppe Esposito</name>
<email>eesposit@redhat.com</email>
</author>
<published>2021-09-08T00:08:36+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-cloud-init.git/commit/?id=2ce857248162957a785af61c135ca8433fdbbcde'/>
<id>urn:sha1:2ce857248162957a785af61c135ca8433fdbbcde</id>
<content type='text'>
As specified in #LP 1845552,
In cloudinit/ssh_util.py, in parse_ssh_config_lines(), we attempt to
parse each line of sshd_config. This function expects each line to
be one of the following forms:

    \# comment
    key value
    key=value

However, options like DenyGroups and DenyUsers are specified to
*optionally* accepts values in sshd_config.
Cloud-init should comply to this and skip the option if a value
is not provided.

Signed-off-by: Emanuele Giuseppe Esposito &lt;eesposit@redhat.com&gt;</content>
</entry>
<entry>
<title>Fix home permissions modified by ssh module (SC-338) (#984)</title>
<updated>2021-08-20T22:09:49+00:00</updated>
<author>
<name>James Falcon</name>
<email>therealfalcon@gmail.com</email>
</author>
<published>2021-08-20T22:09:49+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-cloud-init.git/commit/?id=7d3f5d750f6111c2716143364ea33486df67c927'/>
<id>urn:sha1:7d3f5d750f6111c2716143364ea33486df67c927</id>
<content type='text'>
Fix home permissions modified by ssh module

In #956, we updated the file and directory permissions for keys not in
the user's home directory. We also unintentionally modified the
permissions within the home directory as well. These should not change,
and this commit changes that back.

LP: #1940233</content>
</entry>
<entry>
<title>Stop copying ssh system keys and check folder permissions (#956)</title>
<updated>2021-08-09T14:49:56+00:00</updated>
<author>
<name>Emanuele Giuseppe Esposito</name>
<email>eesposit@redhat.com</email>
</author>
<published>2021-08-09T14:49:56+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-cloud-init.git/commit/?id=00dbaf1e9ab0e59d81662f0f3561897bef499a3f'/>
<id>urn:sha1:00dbaf1e9ab0e59d81662f0f3561897bef499a3f</id>
<content type='text'>
In /etc/ssh/sshd_config, it is possible to define a custom
authorized_keys file that will contain the keys allowed to access the
machine via the AuthorizedKeysFile option. Cloudinit is able to add
user-specific keys to the existing ones, but we need to be careful on
which of the authorized_keys files listed to pick.
Chosing a file that is shared by all user will cause security
issues, because the owner of that key can then access also other users.

We therefore pick an authorized_keys file only if it satisfies the
following conditions:
1. it is not a "global" file, ie it must be defined in
   AuthorizedKeysFile with %u, %h or be in  /home/&lt;user&gt;. This avoids
   security issues.
2. it must comply with ssh permission requirements, otherwise the ssh
   agent won't use that file.

If it doesn't meet either of those conditions, write to
~/.ssh/authorized_keys

We also need to consider the case when the chosen authorized_keys file
does not exist. In this case, the existing behavior of cloud-init is
to create the new file. We therefore need to be sure that the file
complies with ssh permissions too, by setting:
- the actual file to permission 600, and owned by the user
- the directories in the path that do not exist must be root owned and
  with permission 755.</content>
</entry>
<entry>
<title>ssh-util: allow cloudinit to merge all ssh keys into a custom user file, defined in AuthorizedKeysFile (#937)</title>
<updated>2021-07-12T18:21:02+00:00</updated>
<author>
<name>Emanuele Giuseppe Esposito</name>
<email>eesposit@redhat.com</email>
</author>
<published>2021-07-12T18:21:02+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-cloud-init.git/commit/?id=9b52405c6f0de5e00d5ee9c1d13540425d8f6bf5'/>
<id>urn:sha1:9b52405c6f0de5e00d5ee9c1d13540425d8f6bf5</id>
<content type='text'>
This patch aims to fix LP1911680, by analyzing the files provided
in sshd_config and merge all keys into an user-specific file. Also
introduces additional tests to cover this specific case.

The file is picked by analyzing the path given in AuthorizedKeysFile.

If it points inside the current user folder (path is /home/user/*), it
means it is an user-specific file, so we can copy all user-keys there.
If it contains a %u or %h, it means that there will be a specific
authorized_keys file for each user, so we can copy all user-keys there.
If no path points to an user-specific file, for example when only
/etc/ssh/authorized_keys is given, default to ~/.ssh/authorized_keys.
Note that if there are more than a single user-specific file, the last
one will be picked.

Signed-off-by: Emanuele Giuseppe Esposito &lt;eesposit@redhat.com&gt;
Co-authored-by: James Falcon &lt;therealfalcon@gmail.com&gt;

LP: #1911680
RHBZ:1862967</content>
</entry>
<entry>
<title>Revert "ssh_util: handle non-default AuthorizedKeysFile config (#586)" (#775)</title>
<updated>2021-01-19T17:23:23+00:00</updated>
<author>
<name>Daniel Watkins</name>
<email>oddbloke@ubuntu.com</email>
</author>
<published>2021-01-19T17:23:23+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-cloud-init.git/commit/?id=cdc5b81f33aee0ed3ef1ae239e5cec1906d0178a'/>
<id>urn:sha1:cdc5b81f33aee0ed3ef1ae239e5cec1906d0178a</id>
<content type='text'>
This reverts commit b0e73814db4027dba0b7dc0282e295b7f653325c.</content>
</entry>
<entry>
<title>ssh_util: handle non-default AuthorizedKeysFile config (#586)</title>
<updated>2020-10-20T16:04:59+00:00</updated>
<author>
<name>Eduardo Otubo</name>
<email>otubo@redhat.com</email>
</author>
<published>2020-10-20T16:04:59+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-cloud-init.git/commit/?id=b0e73814db4027dba0b7dc0282e295b7f653325c'/>
<id>urn:sha1:b0e73814db4027dba0b7dc0282e295b7f653325c</id>
<content type='text'>
The following commit merged all ssh keys into a default user file
`~/.ssh/authorized_keys` in sshd_config had multiple files configured for
AuthorizedKeysFile:

commit f1094b1a539044c0193165a41501480de0f8df14
Author: Eduardo Otubo &lt;otubo@redhat.com&gt;
Date:   Thu Dec 5 17:37:35 2019 +0100

    Multiple file fix for AuthorizedKeysFile config (#60)

This commit ignored the case when sshd_config would have a single file for
AuthorizedKeysFile, but a non default configuration, for example
`~/.ssh/authorized_keys_foobar`. In this case cloud-init would grab all keys
from this file and write a new one, the default `~/.ssh/authorized_keys`
causing the bug.

rhbz: #1862967

Signed-off-by: Eduardo Otubo &lt;otubo@redhat.com&gt;</content>
</entry>
<entry>
<title>Update the list of valid ssh keys. (#487)</title>
<updated>2020-08-21T16:23:24+00:00</updated>
<author>
<name>Ole-Martin Bratteng</name>
<email>1681525+omBratteng@users.noreply.github.com</email>
</author>
<published>2020-08-21T16:23:24+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-cloud-init.git/commit/?id=c73ab5665469a28dec2995b2b15d3462b0a83c4b'/>
<id>urn:sha1:c73ab5665469a28dec2995b2b15d3462b0a83c4b</id>
<content type='text'>
Update ssh_util.py with latest list of keys (from openssh-8.3p1/sshkey.c),

Added keys:
sk-ecdsa-sha2-nistp256-cert-v01@openssh.com
sk-ecdsa-sha2-nistp256@openssh.com
sk-ssh-ed25519-cert-v01@openssh.com
sk-ssh-ed25519@openssh.com
ssh-xmss-cert-v01@openssh.com
ssh-xmss@openssh.com

LP: #1877869</content>
</entry>
<entry>
<title>ssh exit with non-zero status on disabled user (#472)</title>
<updated>2020-07-15T18:21:02+00:00</updated>
<author>
<name>Eduardo Otubo</name>
<email>otubo@redhat.com</email>
</author>
<published>2020-07-15T18:21:02+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-cloud-init.git/commit/?id=e161059a18173e2b61c54dba9eab774401fb5f1f'/>
<id>urn:sha1:e161059a18173e2b61c54dba9eab774401fb5f1f</id>
<content type='text'>
It is confusing for scripts, where a disabled user has been specified,
that ssh exits with a zero status by default without indication anything
failed.

I think exitting with a non-zero status would make more clear in scripts
and automated setups where things failed, thus making noticing the issue
and debugging easier.

Signed-off-by: Eduardo Otubo &lt;otubo@redhat.com&gt;
Signed-off-by: Aleksandar Kostadinov &lt;akostadi@redhat.com&gt;

LP: #1170059</content>
</entry>
<entry>
<title>util: rename write_file's copy_mode parameter to preserve_mode (#439)</title>
<updated>2020-06-17T16:59:23+00:00</updated>
<author>
<name>Daniel Watkins</name>
<email>oddbloke@ubuntu.com</email>
</author>
<published>2020-06-17T16:59:23+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-cloud-init.git/commit/?id=3d13a9dd469f354d0ddc1e36be37d743b5a57c73'/>
<id>urn:sha1:3d13a9dd469f354d0ddc1e36be37d743b5a57c73</id>
<content type='text'>
When updating the docstring to include it, I realised that the current
name is somewhat misleading; this makes it a little easier to
understand, I think.</content>
</entry>
</feed>
