cloud-init

After Cloud-Init is completed, an error is reported when the sshd service is restarted.

Bug #2011291 reported by shixuantong on 2023-03-11

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	cloud-init	Fix Released	High	Unassigned

Bug Description

I tested this issue on multiple versions, I found that cloud-init 21.4 is ok, cloud-init 22.2 and 23.1 is not ok.

The following error information is displayed for the sshd service:
Mar 11 17:17:53 openEuler sshd[2232]: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Mar 11 17:17:53 openEuler sshd[2232]: @ WARNING: UNPROTECTED PRIVATE KEY FILE! @
Mar 11 17:17:53 openEuler sshd[2232]: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Mar 11 17:17:53 openEuler sshd[2232]: Permissions 0640 for '/etc/ssh/ssh_host_rsa_key' are too open.
Mar 11 17:17:53 openEuler sshd[2232]: It is required that your private key files are NOT accessible by others.
Mar 11 17:17:53 openEuler sshd[2232]: This private key will be ignored.
Mar 11 17:17:53 openEuler sshd[2232]: Unable to load host key "/etc/ssh/ssh_host_rsa_key": bad permissions
Mar 11 17:17:53 openEuler sshd[2232]: Unable to load host key: /etc/ssh/ssh_host_rsa_key
Mar 11 17:17:53 openEuler sshd[2232]: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Mar 11 17:17:53 openEuler sshd[2232]: @ WARNING: UNPROTECTED PRIVATE KEY FILE! @
Mar 11 17:17:53 openEuler sshd[2232]: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Mar 11 17:17:53 openEuler sshd[2232]: Permissions 0640 for '/etc/ssh/ssh_host_ed25519_key' are too open.
Mar 11 17:17:53 openEuler sshd[2232]: It is required that your private key files are NOT accessible by others.
Mar 11 17:17:53 openEuler sshd[2232]: This private key will be ignored.
Mar 11 17:17:53 openEuler sshd[2232]: Unable to load host key "/etc/ssh/ssh_host_ed25519_key": bad permissions
Mar 11 17:17:53 openEuler sshd[2232]: Unable to load host key: /etc/ssh/ssh_host_ed25519_key
Mar 11 17:17:53 openEuler sshd[2232]: sshd: no hostkeys available -- exiting.

At the same time, I found that the key file permission generated by the sshd service is 0o400, But the file permission generated by cloud-init cc_ssh is 0o644 (publibc key) and 0o640 (private key). Should cloud-init be consistent with sshd?

[root@openEuler ~]# cd /etc/ssh/
[root@openEuler ssh]# ll ssh_host_*
-r--------. 1 root ssh_keys 480 Mar 11 15:57 ssh_host_ecdsa_key
-r--------. 1 root root 162 Mar 11 15:57 ssh_host_ecdsa_key.pub
-r--------. 1 root ssh_keys 387 Mar 11 15:57 ssh_host_ed25519_key
-r--------. 1 root root 82 Mar 11 15:57 ssh_host_ed25519_key.pub
-r--------. 1 root ssh_keys 2578 Mar 11 15:57 ssh_host_rsa_key
-r--------. 1 root root 554 Mar 11 15:57 ssh_host_rsa_key.pub

After Cloud-Init is completed：
[root@openEuler ssh]# ll ssh_host_*
-rw-r-----. 1 root ssh_keys 1381 Mar 11 17:17 ssh_host_dsa_key
-rw-r--r--. 1 root root 604 Mar 11 17:17 ssh_host_dsa_key.pub
-rw-r-----. 1 root ssh_keys 505 Mar 11 17:17 ssh_host_ecdsa_key
-rw-r--r--. 1 root root 176 Mar 11 17:17 ssh_host_ecdsa_key.pub
-rw-r-----. 1 root ssh_keys 411 Mar 11 17:17 ssh_host_ed25519_key
-rw-r--r--. 1 root root 96 Mar 11 17:17 ssh_host_ed25519_key.pub
-rw-r-----. 1 root ssh_keys 2602 Mar 11 17:17 ssh_host_rsa_key
-rw-r--r--. 1 root root 568 Mar 11 17:17 ssh_host_rsa_key.pub

See original description

shixuantong (sxt1001) on 2023-03-11

description:

updated

Revision history for this message

James Falcon (falcojr) wrote on 2023-03-13:

This should be fixed in https://github.com/canonical/cloud-init/pull/1971 . It is available in the 23.1.1 upstream release as well as the Ubuntu Lunar development release, and in the -proposed pocket of the remaining Ubuntu series and should hit -updates within the next week or so.

I'm going to set this Incomplete for now, but please let me know if this fixes your problem.

Changed in cloud-init:
status:	New → Incomplete

Revision history for this message

shixuantong (sxt1001) wrote on 2023-03-13:

Sorry, this (https://github.com/canonical/cloud-init/pull/1971) is not a fix patch. I tested this problem with cloud-init 23.1.1 and it has the same problem.

Revision history for this message

James Falcon (falcojr) wrote on 2023-03-13:

The expected permissions are 600 for private keys and 644 for public keys. This is what it looks like for me on Ubuntu Lunar running 23.1.1:
root@lunar:/etc/ssh# ll ssh_host_*
-rw------- 1 root root 1385 Mar 13 16:20 ssh_host_dsa_key
-rw-r--r-- 1 root root 600 Mar 13 16:20 ssh_host_dsa_key.pub
-rw------- 1 root root 505 Mar 13 16:20 ssh_host_ecdsa_key
-rw-r--r-- 1 root root 172 Mar 13 16:20 ssh_host_ecdsa_key.pub
-rw------- 1 root root 399 Mar 13 16:20 ssh_host_ed25519_key
-rw-r--r-- 1 root root 92 Mar 13 16:20 ssh_host_ed25519_key.pub
-rw------- 1 root root 2590 Mar 13 16:20 ssh_host_rsa_key
-rw-r--r-- 1 root root 564 Mar 13 16:20 ssh_host_rsa_key.pub

Are you saying that 23.1.1 doesn't have these permissions on your platform, or are you expecting different permissions?

Revision history for this message

shixuantong (sxt1001) wrote on 2023-03-14:

I'm sorry to bother you. I use cloud-init 23.1.1 and the generated public key file permission is correct (644), but the private key permission is not 600 but 640. Why?

Revision history for this message

shixuantong (sxt1001) wrote on 2023-03-14:

I know what's going on.

this (https://github.com/canonical/cloud-init/pull/1971)　patch is valid when ssh_keys is configured.

https://github.com/canonical/cloud-init/blob/main/cloudinit/config/cc_ssh.py#L212

the condition is met, the patch takes effect. However, in my scenario, the else branch is entered, and there is no permission control here.

Revision history for this message

James Falcon (falcojr) wrote on 2023-03-14:

Thanks for tracking that down. This is intentionally different. Cloud-init is replacing the behavior of sshd-keygen, which created host keys with those permissions. See:

https://github.com/canonical/cloud-init/pull/1971#discussion_r1084150227
and
https://github.com/canonical/cloud-init/pull/1070

According to that 2nd issue, RHEL has an issue if those permissions aren't the same. But these permissions do not work with OpenEuler? I can circle back and see if RHEL still requires those permissions, but if so we may need to introduce different permissions based on distro.

Revision history for this message

shixuantong (sxt1001) wrote on 2023-03-14:

I submitted a patch：
https://github.com/canonical/cloud-init/pull/2072

Revision history for this message

shixuantong (sxt1001) wrote on 2023-03-14:

In the new version, they should no longer be needed.

Restore upstream default host key permissions (rhbz#2141272)
https://src.fedoraproject.org/rpms/openssh/c/b615362fd0b4da657d624571441cb74983de6e3f?branch=rawhide

James Falcon (falcojr) on 2023-03-14

Changed in cloud-init:
status:	Incomplete → Triaged
importance:	Undecided → High

James Falcon (falcojr) on 2023-04-02

Changed in cloud-init:
status:	Triaged → Fix Committed

Revision history for this message

James Falcon (falcojr) wrote on 2023-05-12:

Tracked in Github Issues as https://github.com/canonical/cloud-init/issues/4088

Revision history for this message

Chad Smith (chad.smith) wrote on 2023-05-25: Fixed in cloud-init version 23.2.

#10

This bug is believed to be fixed in cloud-init in version 23.2. If this is still a problem for you, please make a comment and set the state back to New

Thank you.

Changed in cloud-init:
status:	Fix Committed → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

auto-github-canonical-cloud-init #4088
[closed launchpad priority] Edit

Bug watches keep track of this bug in other bug trackers.