SSH restart does not work on RHEL7

Bug #1470433 reported by James Masson
260
This bug affects 2 people
Affects Status Importance Assigned to Milestone
cloud-init
Fix Released
Medium
Unassigned

Bug Description

As part of cc_set_passwords.py - SSH is restarted when sshd_config changes are made by cloud-init

However on RHEL7, the ssh service is named "sshd" not "ssh" - "ssh" is the default in the code...

##
config/cc_set_passwords.py: cmd.append(cloud.distro.get_option('ssh_svcname', 'ssh'))
##

There is no override for this for RHEL currently, unlike on Arch and Gentoo

#
distros/arch.py: cfg['ssh_svcname'] = 'sshd'
distros/gentoo.py: cfg['ssh_svcname'] = '/etc/init.d/sshd'
#

Fix should be added to
#
distros/rhel.py
#

Something like...
#
class Distro(distros.Distro):
....

    def __init__(self, name, cfg, paths):
....
        cfg['ssh_svcname'] = 'sshd'
#

I've tagged this as a security vulnerability, as it left internet accessible VMs with password based SSH enabled, and got a system compromised.

regards

James M

information type: Private Security → Public Security
Revision history for this message
James Masson (james-masson) wrote :

From the cloud-init log.

Jul 1 09:08:53 localhost cloud-init: 2015-07-01 09:08:53,012 - util.py[WARNING]: Restarting of the ssh daemon failed

Revision history for this message
Jim Gorz (nrezinorn) wrote :

It does appear to be defaulting to 'ssh' for the service name if no cfg value is set in rhel.py:
cmd.append(cloud.distro.get_option('ssh_svcname', 'ssh'))

Scott Moser (smoser)
Changed in cloud-init:
status: New → Confirmed
importance: Undecided → Medium
Scott Moser (smoser)
Changed in cloud-init:
status: Confirmed → Fix Committed
Revision history for this message
Scott Moser (smoser) wrote :

I blieve this was fixed in 0.7.9. It appears fixed in trunk by ba0adb9b5100735358a76fdee7b251dba224a4cd

Changed in cloud-init:
status: Fix Committed → Fix Released
Revision history for this message
James Falcon (falcojr) wrote :
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.