Bug 1574338 - CVE-2018-10896 cloud-init: SSH host keys are not regenerated for the new instances [rhel-7]
Summary: CVE-2018-10896 cloud-init: SSH host keys are not regenerated for the new inst...
Status: NEW
Alias: None
Deadline: 2020-01-02
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: cloud-init
Version: 7.5
Hardware: All
OS: Linux
Target Milestone: rc
: ---
Assignee: Eduardo Otubo
QA Contact: Vratislav Hutsky
Depends On:
Blocks: CVE-2018-10896
TreeView+ depends on / blocked
Reported: 2018-05-03 05:36 UTC by Khramov Anton
Modified: 2019-10-08 20:20 UTC (History)
11 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed:

Attachments (Terms of Use)

Description Khramov Anton 2018-05-03 05:36:00 UTC
Description of problem:

in combination with hashicorp packer and cloud-init, SSH host keys are not regenerated, when new VM instances are created. This could lead to the MITM attack.

Version-Release number of selected component (if applicable):


Steps to Reproduce:
1. Create a simple rhel7 image using packer
2. Create instances using this image
3. Notice that all these images share the same SSH host keys

Actual results:

SSH keys are not regenerated when new instance is created

Expected results:

SSH keys should be regenerated

Additional info:

When cloud-init was created for rhel, the "ssh_deletekeys" option was explicitly set to "false" and "ssh_genkeytypes" option was set to be empty (https://git.centos.org/blob/rpms!cloud-init.git/c7/SOURCES!0001-configuration-changes-for-RHEL-package.patch#L66). Most probably it was done because "cloud-init.service" has "Wants=sshd-keygen.service" (https://github.com/cloud-init/cloud-init/blob/master/systemd/cloud-init.service.tmpl#L6), which actually is responsible to regenerate ssh keys (https://git.centos.org/blob/rpms!openssh.git/c7/SOURCES!sshd-keygen.service). However "sshd-keygen.service" doesn't have a logic to detect whether current VM instance was just created or not. "cloud-init" has this logic.

Other distors, like SLES or Ubuntu, both rely on cloud-init logic, but not on "sshd-keygen.service" to regenerate SSH host keys.

Note You need to log in before you can comment on or make changes to this bug.