Bug 1862967

Summary: [cloud-init]Customize ssh AuthorizedKeysFile causes login failure
Product: Red Hat Enterprise Linux 8 Reporter: Yuxin Sun <yuxisun>
Component: cloud-initAssignee: Emanuele Giuseppe Esposito <eesposit>
Status: CLOSED ERRATA QA Contact: Huijuan Zhao <huzhao>
Severity: medium Docs Contact:
Priority: medium    
Version: 8.3CC: cheshi, eesposit, eterrell, huzhao, jgreguske, mrezanin, ribarry, xiachen, xiliang, yacao, ymankad, yuxisun
Target Milestone: rcKeywords: Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: cloud-init-21.1-6.el8 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1905466 1979099 (view as bug list) Environment:
Last Closed: 2021-11-09 18:48:55 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1905466, 1979099    

Description Yuxin Sun 2020-08-03 10:48:49 UTC 
If modify sshd_config to change AuthorizedKeysFile value from '.ssh/authorized_keys' to another file(e.g. .ssh/authorized_keys2) and run cloud-init config_ssh module, cloud-init will write publickeys to .ssh/authorized_keys, which causes login failure.

Version-Release number of selected components (if applicable):
cloud-init-19.4-7.el8

RHEL Version:
RHEL-8.3

How reproducible:
100%

Steps to Reproduce:
1. Prepare a VM with cloud-init enabled
2. Modify /etc/ssh/sshd_config to remove default .ssh/authorized_keys and change to another filee.g.)
# cat /etc/ssh/sshd_config | grep AuthorizedKeysFile
AuthorizedKeysFile .ssh/authorized_keys2
3. Remove /var/lib/cloud/instance/sem/config_ssh
4. systemctl restart cloud-init ; systemctl restart sshd
5. Try to ssh login through the cloud-init created user

Actual results:
Cannot login: Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
The public key is written into .ssh/authorized_keys but not .ssh/authorized_keys2

Expected results:
Can login successfully. The public key is written into .ssh/authorized_keys2

Additional info:
It was involved by patch https://github.com/canonical/cloud-init/commit/f1094b1a539044c0193165a41501480de0f8df14 which was for BZ#1642008 .
For ssh, customer can customize the AuthorizedKeysFile. And ssh service will use this file to authenticate. The cloud-init doesn't write public key into the customized file which causes this issue.
In cloud-init function "extract_authorized_keys" in ssh_util.py, it writes public key to ".ssh/authorized_keys" which is hard coded. Suggest to read the file from sshd_config AuthorizedKeysFile.
Comment 1 John Ferlan 2020-08-11 20:02:37 UTC 
Assigned to Rick for initial triage per bz process and age of bug created or assigned to virt-maint without triage
Comment 5 Eduardo Otubo 2020-09-24 15:26:49 UTC 
Pull request filed at https://github.com/canonical/cloud-init/pull/586
Comment 9 Eduardo Otubo 2020-12-08 12:21:12 UTC 
*** Bug 1905466 has been marked as a duplicate of this bug. ***
Comment 14 Huijuan Zhao 2020-12-15 09:11:41 UTC 
Tested with cloud-init-20.3-6.el8, the issue is gone.
Comment 22 Huijuan Zhao 2021-01-06 00:52:39 UTC 
Move to VERIFIED according to comment 14.
Comment 54 errata-xmlrpc 2021-11-09 18:48:55 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (cloud-init bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2021:4294