Bug 1574338

Summary: CVE-2018-10896 cloud-init: default configuration disabled deletion of SSH host keys [rhel-7]
Product: Red Hat Enterprise Linux 7 Reporter: Khramov Anton <kay.diam>
Component: cloud-initAssignee: Eduardo Otubo <eterrell>
Status: CLOSED ERRATA QA Contact: Huijuan Zhao <huzhao>
Severity: low Docs Contact:
Priority: low    
Version: 7.5CC: dmoppert, eterrell, huzhao, jeharris, jgreguske, linl, ribarry, rmccabe, thoger, virt-maint, xiachen, yacao, yujiang, yuxisun
Target Milestone: rcKeywords: SecurityTracking, Triaged
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: cloud-init-19.4-2.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1814152 (view as bug list) Environment:
Last Closed: 2020-09-29 19:48:41 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 1598831, 1814152    
Deadline: 2020-01-02   

Description Khramov Anton 2018-05-03 05:36:00 UTC
Description of problem:

in combination with hashicorp packer and cloud-init, SSH host keys are not regenerated, when new VM instances are created. This could lead to the MITM attack.

Version-Release number of selected component (if applicable):


Steps to Reproduce:
1. Create a simple rhel7 image using packer
2. Create instances using this image
3. Notice that all these images share the same SSH host keys

Actual results:

SSH keys are not regenerated when new instance is created

Expected results:

SSH keys should be regenerated

Additional info:

When cloud-init was created for rhel, the "ssh_deletekeys" option was explicitly set to "false" and "ssh_genkeytypes" option was set to be empty (https://git.centos.org/blob/rpms!cloud-init.git/c7/SOURCES!0001-configuration-changes-for-RHEL-package.patch#L66). Most probably it was done because "cloud-init.service" has "Wants=sshd-keygen.service" (https://github.com/cloud-init/cloud-init/blob/master/systemd/cloud-init.service.tmpl#L6), which actually is responsible to regenerate ssh keys (https://git.centos.org/blob/rpms!openssh.git/c7/SOURCES!sshd-keygen.service). However "sshd-keygen.service" doesn't have a logic to detect whether current VM instance was just created or not. "cloud-init" has this logic.

Other distors, like SLES or Ubuntu, both rely on cloud-init logic, but not on "sshd-keygen.service" to regenerate SSH host keys.

Comment 24 Huijuan Zhao 2020-03-24 10:56:30 UTC
Tested with rhel-7.9(3.10.0-1128.el7.x86_64) + cloud-init-19.4-2.el7.x86_64, the issue is fixed.

1. There's "ssh_deletekeys:   1" and "ssh_genkeytypes:  ~" in /etc/cloud/cloud.cfg.
2. Compare the content of /etc/ssh/ssh_host_*key* between VM1 and image:
The content are different between VM1 and image. 
SSH host keys are regenerated for the new instance.

Change the status to VERIFIED.

Comment 26 errata-xmlrpc 2020-09-29 19:48:41 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: cloud-init security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.