virt/disk.py unconditionally inserts public_keys into /root/.ssh/authorized_keys

Bug #833499 reported by Scott Moser
24
This bug affects 4 people
Affects Status Importance Assigned to Milestone
OpenStack Compute (nova)
Fix Released
Low
Chuck Short
cloud-init (Ubuntu)
Fix Released
Medium
Scott Moser
nova (Ubuntu)
Fix Released
Low
Unassigned

Bug Description

When cloud-init runs, it populates root's .ssh/authorized_keys with an entry like:
no-port-forwarding,no-agent-forwarding,no-X11-forwarding,command="echo 'Please login as the user \"ubuntu\" rather than the user \"root\".';echo;sleep 10" ssh-rsa A....dLQ0= nova@dziban

That blocks login as root with that key, and provides the user with a message saying to login as the "ubuntu" user instead.

This is a security choice made by Ubuntu, and nova is overriding that choice by inserting the key into /root/.ssh/authorized_keys when the image is being built.

Personally, I think that disks provided to nova should be provided to the guest 100% unmodified in all cases, but at very least, this needs to be configurable.

ProblemType: Bug
DistroRelease: Ubuntu 11.10
Package: nova-compute 2011.3~d4~20110812.1417-0ubuntu1
ProcVersionSignature: Ubuntu 3.0.0-9.14-virtual 3.0.3
Uname: Linux 3.0.0-9-virtual i686
Architecture: i386
Date: Thu Aug 25 03:19:39 2011
PackageArchitecture: all
ProcEnviron:
 LANG=en_US.UTF-8
 SHELL=/bin/bash
SourcePackage: nova
UpgradeStatus: No upgrade log present (probably fresh install)

Related branches

Revision history for this message
Scott Moser (smoser) wrote :
tags: added: ec2-images uec-images
Revision history for this message
Clint Byrum (clint-fewbar) wrote :

Since this has implications for users who want to retain common carrier status while running a "public" Nova, I am setting this to High. Also marking it as affecting the upstream nova project.

Changed in nova (Ubuntu):
importance: Undecided → High
Revision history for this message
Scott Moser (smoser) wrote :

I've commited to cloud-init's trunk an improvement to cloud-init that works around this.
The fix there changes updating of .ssh/authorized_keys to update existing entries rather than appending. In this case, then, the inserted key is re-written appropriately.

Revision history for this message
Vish Ishaya (vishvananda) wrote :

Since there is a workaround, I'm setting this to low. We should at least provide a flag allowing deployers to turn off key injection if they don't want it.

Changed in nova:
importance: Undecided → Low
status: New → Triaged
Revision history for this message
Dave Walker (davewalker) wrote :

Dropping Ubuntu bug task to Low as we have a work-around.

Thanks.

Changed in nova (Ubuntu):
importance: High → Low
status: New → Confirmed
Revision history for this message
Scott Moser (smoser) wrote :

This is fix-released in cloud-init with version 0.6.1-0ubuntu16.

Changed in cloud-init (Ubuntu):
assignee: nobody → Scott Moser (smoser)
importance: Undecided → Medium
status: New → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to nova (master)

Fix proposed to branch: master
Review: https://review.openstack.org/4430

Changed in nova:
assignee: nobody → Chuck Short (zulcss)
status: Triaged → In Progress
Revision history for this message
Tom Fifield (fifieldt) wrote :

This looks to be covered by the flag libvirt_inject_key - marking as "fix released"

Changed in nova:
status: In Progress → Fix Released
Chuck Short (zulcss)
Changed in nova (Ubuntu):
status: Confirmed → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Fix proposed to branch: master
Review: https://review.openstack.org/12455

Changed in nova:
status: Fix Released → In Progress
Revision history for this message
Thierry Carrez (ttx) wrote :

Agree with Tom that this seems covered well by libvirt_inject_key. If not, please reopen and explain.

Changed in nova:
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.