Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1885186

Summary: Removing ssh keys MC does not remove the key from authorized_keys
Product: OpenShift Container Platform Reporter: Pablo Alonso Rodriguez <palonsor>
Component: Machine Config OperatorAssignee: Kirsten Garrison <kgarriso>
Status: CLOSED ERRATA QA Contact: Michael Nguyen <mnguyen>
Severity: high Docs Contact:
Priority: high    
Version: 4.5CC: mbetti, mkrejci
Target Milestone: ---Keywords: Security
Target Release: 4.8.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Cause: users were allowed to try to delete core user and all sshkeys due to a bug in the code base Consequence: the user and keys seemed to be deleted but the keys still remained Fix: enforce the original rules which does not permit users to delete the core user and requires at least 1 ssh key instead of silently failing. Result: the behavior of the system now matches the error messages resulting in predictable behaviour and expectations.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-07-27 22:33:30 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1932638    

Description Pablo Alonso Rodriguez 2020-10-05 11:27:05 UTC 
Description of problem:

If a cluster is installed with SSH keys, machineconfigs `99-worker-ssh` and `99-master-ssh` are created to configure the SSH keys.

However, if these machineconfigs are deleted afterwards, ssh key is not removed from authorized_keys file of core user.

Version-Release number of selected component (if applicable):

4.5

How reproducible:

Always

Steps to Reproduce:
1. Install a cluster with SSH keys
2. Delete 99-worker-ssh machineconfig
3. Try to ssh with core user

Actual results:

ssh possible

Expected results:

ssh not possible due to access denied

Additional info:

A new rendered config is created correctly, all the nodes properly update to it and the new rendered config doesn't have any keys information. So it is presumable that the issue is in machine-config-daemon, as I don't see either an error message there or an indication of keys being updated.
Comment 3 Pablo Alonso Rodriguez 2020-10-05 11:54:00 UTC 
Hi, 

Creating a machineconfig with `passwd` section like this seems to workaround the issue in my test cluster:
```
    passwd:
      users:
      - name: core
        sshAuthorizedKeys: []
```
Comment 12 Michael Nguyen 2021-02-24 14:50:52 UTC 
Verified on 4.8.0-0.nightly-2021-02-10-155958
Comment 15 errata-xmlrpc 2021-07-27 22:33:30 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.8.2 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:2438