A vulnerability was found in the Azure plugin of cloud-init. The entire list of certificates and public keys exposed from the wireserver is added to the authorized_keys file for the user-to-be-provisioned, regardless of whether they belong to the user or not.
See steps from https://support.microsoft.com/en-us/help/4491476/extraneous-ssh-public-keys-added-to-authorized-keys-file-on-linux-vm
Created cloud-init tracking bugs for this issue:
Affects: epel-6 [bug 1688367]
Affects: fedora-all [bug 1688366]
This issue has been addressed in the following products:
Red Hat Enterprise Linux 7
Via RHSA-2019:0597 https://access.redhat.com/errata/RHSA-2019:0597