If modify sshd_config to change AuthorizedKeysFile value from '.ssh/authorized_keys' to another file(e.g. .ssh/authorized_keys2) and run cloud-init config_ssh module, cloud-init will write publickeys to .ssh/authorized_keys, which causes login failure.
Version-Release number of selected components (if applicable):
cloud-init-19.4-7.el8
RHEL Version:
RHEL-8.3
How reproducible:
100%
Steps to Reproduce:
1. Prepare a VM with cloud-init enabled
2. Modify /etc/ssh/sshd_config to remove default .ssh/authorized_keys and change to another filee.g.)
# cat /etc/ssh/sshd_config | grep AuthorizedKeysFile
AuthorizedKeysFile .ssh/authorized_keys2
3. Remove /var/lib/cloud/instance/sem/config_ssh
4. systemctl restart cloud-init ; systemctl restart sshd
5. Try to ssh login through the cloud-init created user
Actual results:
Cannot login: Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
The public key is written into .ssh/authorized_keys but not .ssh/authorized_keys2
Expected results:
Can login successfully. The public key is written into .ssh/authorized_keys2
Additional info:
It was involved by patch https://github.com/canonical/cloud-init/commit/f1094b1a539044c0193165a41501480de0f8df14 which was for BZ#1642008 .
For ssh, customer can customize the AuthorizedKeysFile. And ssh service will use this file to authenticate. The cloud-init doesn't write public key into the customized file which causes this issue.
In cloud-init function "extract_authorized_keys" in ssh_util.py, it writes public key to ".ssh/authorized_keys" which is hard coded. Suggest to read the file from sshd_config AuthorizedKeysFile.
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory (cloud-init bug fix and enhancement update), and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.
https://access.redhat.com/errata/RHEA-2021:4294