forked from rpms/cloud-init
import cloud-init-21.1-12.el9
This commit is contained in:
parent
471cc202a7
commit
4e103214a5
@ -0,0 +1,262 @@
|
|||||||
|
From 5bfe2ee2b063d87e6fd255d6c5e63123aa3f6de0 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Emanuele Giuseppe Esposito <eesposit@redhat.com>
|
||||||
|
Date: Sat, 21 Aug 2021 13:55:53 +0200
|
||||||
|
Subject: [PATCH] Fix home permissions modified by ssh module (SC-338) (#984)
|
||||||
|
|
||||||
|
RH-Author: Emanuele Giuseppe Esposito <eesposit@redhat.com>
|
||||||
|
RH-MergeRequest: 9: Fix home permissions modified by ssh module
|
||||||
|
RH-Commit: [1/1] ab55db88aa1bf2f77acaca5e76ffabbab72b1fb2 (eesposit/cloud-init-centos-)
|
||||||
|
RH-Bugzilla: 1995843
|
||||||
|
RH-Acked-by: Mohamed Gamal Morsy <mmorsy@redhat.com>
|
||||||
|
RH-Acked-by: Eduardo Otubo <otubo@redhat.com>
|
||||||
|
|
||||||
|
TESTED: By me and QA
|
||||||
|
BREW: 39178085
|
||||||
|
|
||||||
|
Fix home permissions modified by ssh module (SC-338) (#984)
|
||||||
|
|
||||||
|
commit 7d3f5d750f6111c2716143364ea33486df67c927
|
||||||
|
Author: James Falcon <therealfalcon@gmail.com>
|
||||||
|
Date: Fri Aug 20 17:09:49 2021 -0500
|
||||||
|
|
||||||
|
Fix home permissions modified by ssh module (SC-338) (#984)
|
||||||
|
|
||||||
|
Fix home permissions modified by ssh module
|
||||||
|
|
||||||
|
In #956, we updated the file and directory permissions for keys not in
|
||||||
|
the user's home directory. We also unintentionally modified the
|
||||||
|
permissions within the home directory as well. These should not change,
|
||||||
|
and this commit changes that back.
|
||||||
|
|
||||||
|
LP: #1940233
|
||||||
|
|
||||||
|
Signed-off-by: Emanuele Giuseppe Esposito <eesposit@redhat.com>
|
||||||
|
---
|
||||||
|
cloudinit/ssh_util.py | 35 ++++-
|
||||||
|
.../modules/test_ssh_keysfile.py | 132 +++++++++++++++---
|
||||||
|
2 files changed, 146 insertions(+), 21 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/cloudinit/ssh_util.py b/cloudinit/ssh_util.py
|
||||||
|
index b8a3c8f7..9ccadf09 100644
|
||||||
|
--- a/cloudinit/ssh_util.py
|
||||||
|
+++ b/cloudinit/ssh_util.py
|
||||||
|
@@ -321,23 +321,48 @@ def check_create_path(username, filename, strictmodes):
|
||||||
|
home_folder = os.path.dirname(user_pwent.pw_dir)
|
||||||
|
for directory in directories:
|
||||||
|
parent_folder += "/" + directory
|
||||||
|
- if home_folder.startswith(parent_folder):
|
||||||
|
+
|
||||||
|
+ # security check, disallow symlinks in the AuthorizedKeysFile path.
|
||||||
|
+ if os.path.islink(parent_folder):
|
||||||
|
+ LOG.debug(
|
||||||
|
+ "Invalid directory. Symlink exists in path: %s",
|
||||||
|
+ parent_folder)
|
||||||
|
+ return False
|
||||||
|
+
|
||||||
|
+ if os.path.isfile(parent_folder):
|
||||||
|
+ LOG.debug(
|
||||||
|
+ "Invalid directory. File exists in path: %s",
|
||||||
|
+ parent_folder)
|
||||||
|
+ return False
|
||||||
|
+
|
||||||
|
+ if (home_folder.startswith(parent_folder) or
|
||||||
|
+ parent_folder == user_pwent.pw_dir):
|
||||||
|
continue
|
||||||
|
|
||||||
|
- if not os.path.isdir(parent_folder):
|
||||||
|
+ if not os.path.exists(parent_folder):
|
||||||
|
# directory does not exist, and permission so far are good:
|
||||||
|
# create the directory, and make it accessible by everyone
|
||||||
|
# but owned by root, as it might be used by many users.
|
||||||
|
with util.SeLinuxGuard(parent_folder):
|
||||||
|
- os.makedirs(parent_folder, mode=0o755, exist_ok=True)
|
||||||
|
- util.chownbyid(parent_folder, root_pwent.pw_uid,
|
||||||
|
- root_pwent.pw_gid)
|
||||||
|
+ mode = 0o755
|
||||||
|
+ uid = root_pwent.pw_uid
|
||||||
|
+ gid = root_pwent.pw_gid
|
||||||
|
+ if parent_folder.startswith(user_pwent.pw_dir):
|
||||||
|
+ mode = 0o700
|
||||||
|
+ uid = user_pwent.pw_uid
|
||||||
|
+ gid = user_pwent.pw_gid
|
||||||
|
+ os.makedirs(parent_folder, mode=mode, exist_ok=True)
|
||||||
|
+ util.chownbyid(parent_folder, uid, gid)
|
||||||
|
|
||||||
|
permissions = check_permissions(username, parent_folder,
|
||||||
|
filename, False, strictmodes)
|
||||||
|
if not permissions:
|
||||||
|
return False
|
||||||
|
|
||||||
|
+ if os.path.islink(filename) or os.path.isdir(filename):
|
||||||
|
+ LOG.debug("%s is not a file!", filename)
|
||||||
|
+ return False
|
||||||
|
+
|
||||||
|
# check the file
|
||||||
|
if not os.path.exists(filename):
|
||||||
|
# if file does not exist: we need to create it, since the
|
||||||
|
diff --git a/tests/integration_tests/modules/test_ssh_keysfile.py b/tests/integration_tests/modules/test_ssh_keysfile.py
|
||||||
|
index f82d7649..3159feb9 100644
|
||||||
|
--- a/tests/integration_tests/modules/test_ssh_keysfile.py
|
||||||
|
+++ b/tests/integration_tests/modules/test_ssh_keysfile.py
|
||||||
|
@@ -10,10 +10,10 @@ TEST_USER1_KEYS = get_test_rsa_keypair('test1')
|
||||||
|
TEST_USER2_KEYS = get_test_rsa_keypair('test2')
|
||||||
|
TEST_DEFAULT_KEYS = get_test_rsa_keypair('test3')
|
||||||
|
|
||||||
|
-USERDATA = """\
|
||||||
|
+_USERDATA = """\
|
||||||
|
#cloud-config
|
||||||
|
bootcmd:
|
||||||
|
- - sed -i 's;#AuthorizedKeysFile.*;AuthorizedKeysFile /etc/ssh/authorized_keys %h/.ssh/authorized_keys2;' /etc/ssh/sshd_config
|
||||||
|
+ - {bootcmd}
|
||||||
|
ssh_authorized_keys:
|
||||||
|
- {default}
|
||||||
|
users:
|
||||||
|
@@ -24,27 +24,17 @@ users:
|
||||||
|
- name: test_user2
|
||||||
|
ssh_authorized_keys:
|
||||||
|
- {user2}
|
||||||
|
-""".format( # noqa: E501
|
||||||
|
+""".format(
|
||||||
|
+ bootcmd='{bootcmd}',
|
||||||
|
default=TEST_DEFAULT_KEYS.public_key,
|
||||||
|
user1=TEST_USER1_KEYS.public_key,
|
||||||
|
user2=TEST_USER2_KEYS.public_key,
|
||||||
|
)
|
||||||
|
|
||||||
|
|
||||||
|
-@pytest.mark.ubuntu
|
||||||
|
-@pytest.mark.user_data(USERDATA)
|
||||||
|
-def test_authorized_keys(client: IntegrationInstance):
|
||||||
|
- expected_keys = [
|
||||||
|
- ('test_user1', '/home/test_user1/.ssh/authorized_keys2',
|
||||||
|
- TEST_USER1_KEYS),
|
||||||
|
- ('test_user2', '/home/test_user2/.ssh/authorized_keys2',
|
||||||
|
- TEST_USER2_KEYS),
|
||||||
|
- ('ubuntu', '/home/ubuntu/.ssh/authorized_keys2',
|
||||||
|
- TEST_DEFAULT_KEYS),
|
||||||
|
- ('root', '/root/.ssh/authorized_keys2', TEST_DEFAULT_KEYS),
|
||||||
|
- ]
|
||||||
|
-
|
||||||
|
+def common_verify(client, expected_keys):
|
||||||
|
for user, filename, keys in expected_keys:
|
||||||
|
+ # Ensure key is in the key file
|
||||||
|
contents = client.read_from_file(filename)
|
||||||
|
if user in ['ubuntu', 'root']:
|
||||||
|
# Our personal public key gets added by pycloudlib
|
||||||
|
@@ -83,3 +73,113 @@ def test_authorized_keys(client: IntegrationInstance):
|
||||||
|
look_for_keys=False,
|
||||||
|
allow_agent=False,
|
||||||
|
)
|
||||||
|
+
|
||||||
|
+ # Ensure we haven't messed with any /home permissions
|
||||||
|
+ # See LP: #1940233
|
||||||
|
+ home_dir = '/home/{}'.format(user)
|
||||||
|
+ home_perms = '755'
|
||||||
|
+ if user == 'root':
|
||||||
|
+ home_dir = '/root'
|
||||||
|
+ home_perms = '700'
|
||||||
|
+ assert '{} {}'.format(user, home_perms) == client.execute(
|
||||||
|
+ 'stat -c "%U %a" {}'.format(home_dir)
|
||||||
|
+ )
|
||||||
|
+ if client.execute("test -d {}/.ssh".format(home_dir)).ok:
|
||||||
|
+ assert '{} 700'.format(user) == client.execute(
|
||||||
|
+ 'stat -c "%U %a" {}/.ssh'.format(home_dir)
|
||||||
|
+ )
|
||||||
|
+ assert '{} 600'.format(user) == client.execute(
|
||||||
|
+ 'stat -c "%U %a" {}'.format(filename)
|
||||||
|
+ )
|
||||||
|
+
|
||||||
|
+ # Also ensure ssh-keygen works as expected
|
||||||
|
+ client.execute('mkdir {}/.ssh'.format(home_dir))
|
||||||
|
+ assert client.execute(
|
||||||
|
+ "ssh-keygen -b 2048 -t rsa -f {}/.ssh/id_rsa -q -N ''".format(
|
||||||
|
+ home_dir)
|
||||||
|
+ ).ok
|
||||||
|
+ assert client.execute('test -f {}/.ssh/id_rsa'.format(home_dir))
|
||||||
|
+ assert client.execute('test -f {}/.ssh/id_rsa.pub'.format(home_dir))
|
||||||
|
+
|
||||||
|
+ assert 'root 755' == client.execute('stat -c "%U %a" /home')
|
||||||
|
+
|
||||||
|
+
|
||||||
|
+DEFAULT_KEYS_USERDATA = _USERDATA.format(bootcmd='""')
|
||||||
|
+
|
||||||
|
+
|
||||||
|
+@pytest.mark.ubuntu
|
||||||
|
+@pytest.mark.user_data(DEFAULT_KEYS_USERDATA)
|
||||||
|
+def test_authorized_keys_default(client: IntegrationInstance):
|
||||||
|
+ expected_keys = [
|
||||||
|
+ ('test_user1', '/home/test_user1/.ssh/authorized_keys',
|
||||||
|
+ TEST_USER1_KEYS),
|
||||||
|
+ ('test_user2', '/home/test_user2/.ssh/authorized_keys',
|
||||||
|
+ TEST_USER2_KEYS),
|
||||||
|
+ ('ubuntu', '/home/ubuntu/.ssh/authorized_keys',
|
||||||
|
+ TEST_DEFAULT_KEYS),
|
||||||
|
+ ('root', '/root/.ssh/authorized_keys', TEST_DEFAULT_KEYS),
|
||||||
|
+ ]
|
||||||
|
+ common_verify(client, expected_keys)
|
||||||
|
+
|
||||||
|
+
|
||||||
|
+AUTHORIZED_KEYS2_USERDATA = _USERDATA.format(bootcmd=(
|
||||||
|
+ "sed -i 's;#AuthorizedKeysFile.*;AuthorizedKeysFile "
|
||||||
|
+ "/etc/ssh/authorized_keys %h/.ssh/authorized_keys2;' "
|
||||||
|
+ "/etc/ssh/sshd_config"))
|
||||||
|
+
|
||||||
|
+
|
||||||
|
+@pytest.mark.ubuntu
|
||||||
|
+@pytest.mark.user_data(AUTHORIZED_KEYS2_USERDATA)
|
||||||
|
+def test_authorized_keys2(client: IntegrationInstance):
|
||||||
|
+ expected_keys = [
|
||||||
|
+ ('test_user1', '/home/test_user1/.ssh/authorized_keys2',
|
||||||
|
+ TEST_USER1_KEYS),
|
||||||
|
+ ('test_user2', '/home/test_user2/.ssh/authorized_keys2',
|
||||||
|
+ TEST_USER2_KEYS),
|
||||||
|
+ ('ubuntu', '/home/ubuntu/.ssh/authorized_keys2',
|
||||||
|
+ TEST_DEFAULT_KEYS),
|
||||||
|
+ ('root', '/root/.ssh/authorized_keys2', TEST_DEFAULT_KEYS),
|
||||||
|
+ ]
|
||||||
|
+ common_verify(client, expected_keys)
|
||||||
|
+
|
||||||
|
+
|
||||||
|
+NESTED_KEYS_USERDATA = _USERDATA.format(bootcmd=(
|
||||||
|
+ "sed -i 's;#AuthorizedKeysFile.*;AuthorizedKeysFile "
|
||||||
|
+ "/etc/ssh/authorized_keys %h/foo/bar/ssh/keys;' "
|
||||||
|
+ "/etc/ssh/sshd_config"))
|
||||||
|
+
|
||||||
|
+
|
||||||
|
+@pytest.mark.ubuntu
|
||||||
|
+@pytest.mark.user_data(NESTED_KEYS_USERDATA)
|
||||||
|
+def test_nested_keys(client: IntegrationInstance):
|
||||||
|
+ expected_keys = [
|
||||||
|
+ ('test_user1', '/home/test_user1/foo/bar/ssh/keys',
|
||||||
|
+ TEST_USER1_KEYS),
|
||||||
|
+ ('test_user2', '/home/test_user2/foo/bar/ssh/keys',
|
||||||
|
+ TEST_USER2_KEYS),
|
||||||
|
+ ('ubuntu', '/home/ubuntu/foo/bar/ssh/keys',
|
||||||
|
+ TEST_DEFAULT_KEYS),
|
||||||
|
+ ('root', '/root/foo/bar/ssh/keys', TEST_DEFAULT_KEYS),
|
||||||
|
+ ]
|
||||||
|
+ common_verify(client, expected_keys)
|
||||||
|
+
|
||||||
|
+
|
||||||
|
+EXTERNAL_KEYS_USERDATA = _USERDATA.format(bootcmd=(
|
||||||
|
+ "sed -i 's;#AuthorizedKeysFile.*;AuthorizedKeysFile "
|
||||||
|
+ "/etc/ssh/authorized_keys /etc/ssh/authorized_keys/%u/keys;' "
|
||||||
|
+ "/etc/ssh/sshd_config"))
|
||||||
|
+
|
||||||
|
+
|
||||||
|
+@pytest.mark.ubuntu
|
||||||
|
+@pytest.mark.user_data(EXTERNAL_KEYS_USERDATA)
|
||||||
|
+def test_external_keys(client: IntegrationInstance):
|
||||||
|
+ expected_keys = [
|
||||||
|
+ ('test_user1', '/etc/ssh/authorized_keys/test_user1/keys',
|
||||||
|
+ TEST_USER1_KEYS),
|
||||||
|
+ ('test_user2', '/etc/ssh/authorized_keys/test_user2/keys',
|
||||||
|
+ TEST_USER2_KEYS),
|
||||||
|
+ ('ubuntu', '/etc/ssh/authorized_keys/ubuntu/keys',
|
||||||
|
+ TEST_DEFAULT_KEYS),
|
||||||
|
+ ('root', '/etc/ssh/authorized_keys/root/keys', TEST_DEFAULT_KEYS),
|
||||||
|
+ ]
|
||||||
|
+ common_verify(client, expected_keys)
|
||||||
|
--
|
||||||
|
2.27.0
|
||||||
|
|
@ -0,0 +1,104 @@
|
|||||||
|
From e6412be62079bbec5d67d178711ea42f21cafab8 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Emanuele Giuseppe Esposito <eesposit@redhat.com>
|
||||||
|
Date: Tue, 12 Oct 2021 16:35:00 +0200
|
||||||
|
Subject: [PATCH 1/2] Inhibit sshd-keygen@.service if cloud-init is active
|
||||||
|
(#1028)
|
||||||
|
|
||||||
|
RH-Author: Emanuele Giuseppe Esposito <eesposit@redhat.com>
|
||||||
|
RH-MergeRequest: 11: Add drop-in to prevent race with sshd-keygen service
|
||||||
|
RH-Commit: [1/2] 77ba3f167e71c43847aa5b38e1833d84568ed5a7 (eesposit/cloud-init-centos-)
|
||||||
|
RH-Bugzilla: 2002492
|
||||||
|
RH-Acked-by: Eduardo Otubo <otubo@redhat.com>
|
||||||
|
RH-Acked-by: Mohamed Gamal Morsy <mmorsy@redhat.com>
|
||||||
|
|
||||||
|
TESTED: by me and QA
|
||||||
|
BREW: 40286693
|
||||||
|
|
||||||
|
commit 02c71f097bca455a0f87d3e0a2af4d04b1cbd727
|
||||||
|
Author: Ryan Harper <ryan.harper@canonical.com>
|
||||||
|
Date: Tue Oct 12 09:31:36 2021 -0500
|
||||||
|
|
||||||
|
Inhibit sshd-keygen@.service if cloud-init is active (#1028)
|
||||||
|
|
||||||
|
In some cloud-init enabled images the sshd-keygen@.service
|
||||||
|
may race with cloud-init and prevent ssh host keys from being
|
||||||
|
generated or generating host keys twice slowing boot and consuming
|
||||||
|
additional entropy during boot. This drop-in unit adds a condition to
|
||||||
|
the sshd-keygen@.service which prevents running if cloud-init is active.
|
||||||
|
|
||||||
|
Signed-off-by: Emanuele Giuseppe Esposito <eesposit@redhat.com>
|
||||||
|
|
||||||
|
Conflicts: minor conflict in setup.py (line 253), where we still use
|
||||||
|
"/usr/lib/" instead of LIB
|
||||||
|
---
|
||||||
|
packages/redhat/cloud-init.spec.in | 1 +
|
||||||
|
packages/suse/cloud-init.spec.in | 1 +
|
||||||
|
setup.py | 5 ++++-
|
||||||
|
systemd/disable-sshd-keygen-if-cloud-init-active.conf | 8 ++++++++
|
||||||
|
4 files changed, 14 insertions(+), 1 deletion(-)
|
||||||
|
create mode 100644 systemd/disable-sshd-keygen-if-cloud-init-active.conf
|
||||||
|
|
||||||
|
diff --git a/packages/redhat/cloud-init.spec.in b/packages/redhat/cloud-init.spec.in
|
||||||
|
index 16138012..1491822b 100644
|
||||||
|
--- a/packages/redhat/cloud-init.spec.in
|
||||||
|
+++ b/packages/redhat/cloud-init.spec.in
|
||||||
|
@@ -175,6 +175,7 @@ fi
|
||||||
|
|
||||||
|
%if "%{init_system}" == "systemd"
|
||||||
|
/usr/lib/systemd/system-generators/cloud-init-generator
|
||||||
|
+%{_sysconfdir}/systemd/system/sshd-keygen@.service.d/disable-sshd-keygen-if-cloud-init-active.conf
|
||||||
|
%{_unitdir}/cloud-*
|
||||||
|
%else
|
||||||
|
%attr(0755, root, root) %{_initddir}/cloud-config
|
||||||
|
diff --git a/packages/suse/cloud-init.spec.in b/packages/suse/cloud-init.spec.in
|
||||||
|
index 004b875f..da8107b4 100644
|
||||||
|
--- a/packages/suse/cloud-init.spec.in
|
||||||
|
+++ b/packages/suse/cloud-init.spec.in
|
||||||
|
@@ -126,6 +126,7 @@ version_pys=$(cd "%{buildroot}" && find . -name version.py -type f)
|
||||||
|
|
||||||
|
%{_sysconfdir}/dhcp/dhclient-exit-hooks.d/hook-dhclient
|
||||||
|
%{_sysconfdir}/NetworkManager/dispatcher.d/hook-network-manager
|
||||||
|
+%{_sysconfdir}/systemd/system/sshd-keygen@.service.d/disable-sshd-keygen-if-cloud-init-active.conf
|
||||||
|
|
||||||
|
# Python code is here...
|
||||||
|
%{python_sitelib}/*
|
||||||
|
diff --git a/setup.py b/setup.py
|
||||||
|
index d5cd01a4..ec03fa27 100755
|
||||||
|
--- a/setup.py
|
||||||
|
+++ b/setup.py
|
||||||
|
@@ -38,6 +38,7 @@ def is_generator(p):
|
||||||
|
def pkg_config_read(library, var):
|
||||||
|
fallbacks = {
|
||||||
|
'systemd': {
|
||||||
|
+ 'systemdsystemconfdir': '/etc/systemd/system',
|
||||||
|
'systemdsystemunitdir': '/lib/systemd/system',
|
||||||
|
'systemdsystemgeneratordir': '/lib/systemd/system-generators',
|
||||||
|
}
|
||||||
|
@@ -249,7 +250,9 @@ if not platform.system().endswith('BSD'):
|
||||||
|
data_files.extend([
|
||||||
|
(ETC + '/NetworkManager/dispatcher.d/',
|
||||||
|
['tools/hook-network-manager']),
|
||||||
|
- ('/usr/lib/udev/rules.d', [f for f in glob('udev/*.rules')])
|
||||||
|
+ ('/usr/lib/udev/rules.d', [f for f in glob('udev/*.rules')]),
|
||||||
|
+ (ETC + '/systemd/system/sshd-keygen@.service.d/',
|
||||||
|
+ ['systemd/disable-sshd-keygen-if-cloud-init-active.conf']),
|
||||||
|
])
|
||||||
|
# Use a subclass for install that handles
|
||||||
|
# adding on the right init system configuration files
|
||||||
|
diff --git a/systemd/disable-sshd-keygen-if-cloud-init-active.conf b/systemd/disable-sshd-keygen-if-cloud-init-active.conf
|
||||||
|
new file mode 100644
|
||||||
|
index 00000000..71e35876
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/systemd/disable-sshd-keygen-if-cloud-init-active.conf
|
||||||
|
@@ -0,0 +1,8 @@
|
||||||
|
+# In some cloud-init enabled images the sshd-keygen template service may race
|
||||||
|
+# with cloud-init during boot causing issues with host key generation. This
|
||||||
|
+# drop-in config adds a condition to sshd-keygen@.service if it exists and
|
||||||
|
+# prevents the sshd-keygen units from running *if* cloud-init is going to run.
|
||||||
|
+#
|
||||||
|
+[Unit]
|
||||||
|
+ConditionPathExists=!/run/systemd/generator.early/multi-user.target.wants/cloud-init.target
|
||||||
|
+EOF
|
||||||
|
--
|
||||||
|
2.27.0
|
||||||
|
|
@ -0,0 +1,97 @@
|
|||||||
|
From 2a6b3b5afb20a7856ad81b3ec3da621571c3bec3 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Emanuele Giuseppe Esposito <eesposit@redhat.com>
|
||||||
|
Date: Wed, 20 Oct 2021 10:41:36 +0200
|
||||||
|
Subject: [PATCH] cc_ssh.py: fix private key group owner and permissions
|
||||||
|
(#1070)
|
||||||
|
|
||||||
|
RH-Author: Emanuele Giuseppe Esposito <eesposit@redhat.com>
|
||||||
|
RH-MergeRequest: 12: cc_ssh.py: fix private key group owner and permissions (#1070)
|
||||||
|
RH-Commit: [1/1] b2dc9cfd18ac0a8e1e22a37b1585d22dbde11536 (eesposit/cloud-init-centos-)
|
||||||
|
RH-Bugzilla: 2015974
|
||||||
|
RH-Acked-by: Vitaly Kuznetsov <vkuznets@redhat.com>
|
||||||
|
RH-Acked-by: Mohamed Gamal Morsy <mmorsy@redhat.com>
|
||||||
|
|
||||||
|
commit ee296ced9c0a61b1484d850b807c601bcd670ec1
|
||||||
|
Author: Emanuele Giuseppe Esposito <eesposit@redhat.com>
|
||||||
|
Date: Tue Oct 19 21:32:10 2021 +0200
|
||||||
|
|
||||||
|
cc_ssh.py: fix private key group owner and permissions (#1070)
|
||||||
|
|
||||||
|
When default host keys are created by sshd-keygen (/etc/ssh/ssh_host_*_key)
|
||||||
|
in RHEL/CentOS/Fedora, openssh it performs the following:
|
||||||
|
|
||||||
|
// create new keys
|
||||||
|
if ! $KEYGEN -q -t $KEYTYPE -f $KEY -C '' -N '' >&/dev/null; then
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
// sanitize permissions
|
||||||
|
/usr/bin/chgrp ssh_keys $KEY
|
||||||
|
/usr/bin/chmod 640 $KEY
|
||||||
|
/usr/bin/chmod 644 $KEY.pub
|
||||||
|
Note that the group ssh_keys exists only in RHEL/CentOS/Fedora.
|
||||||
|
|
||||||
|
Now that we disable sshd-keygen to allow only cloud-init to create
|
||||||
|
them, we miss the "sanitize permissions" part, where we set the group
|
||||||
|
owner as ssh_keys and the private key mode to 640.
|
||||||
|
|
||||||
|
According to https://bugzilla.redhat.com/show_bug.cgi?id=2013644#c8, failing
|
||||||
|
to set group ownership and permissions like openssh does makes the RHEL openscap
|
||||||
|
tool generate an error.
|
||||||
|
|
||||||
|
Signed-off-by: Emanuele Giuseppe Esposito eesposit@redhat.com
|
||||||
|
|
||||||
|
RHBZ: 2013644
|
||||||
|
|
||||||
|
Signed-off-by: Emanuele Giuseppe Esposito <eesposit@redhat.com>
|
||||||
|
---
|
||||||
|
cloudinit/config/cc_ssh.py | 7 +++++++
|
||||||
|
cloudinit/util.py | 14 ++++++++++++++
|
||||||
|
2 files changed, 21 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/cloudinit/config/cc_ssh.py b/cloudinit/config/cc_ssh.py
|
||||||
|
index 05a16dbc..4e986c55 100755
|
||||||
|
--- a/cloudinit/config/cc_ssh.py
|
||||||
|
+++ b/cloudinit/config/cc_ssh.py
|
||||||
|
@@ -240,6 +240,13 @@ def handle(_name, cfg, cloud, log, _args):
|
||||||
|
try:
|
||||||
|
out, err = subp.subp(cmd, capture=True, env=lang_c)
|
||||||
|
sys.stdout.write(util.decode_binary(out))
|
||||||
|
+
|
||||||
|
+ gid = util.get_group_id("ssh_keys")
|
||||||
|
+ if gid != -1:
|
||||||
|
+ # perform same "sanitize permissions" as sshd-keygen
|
||||||
|
+ os.chown(keyfile, -1, gid)
|
||||||
|
+ os.chmod(keyfile, 0o640)
|
||||||
|
+ os.chmod(keyfile + ".pub", 0o644)
|
||||||
|
except subp.ProcessExecutionError as e:
|
||||||
|
err = util.decode_binary(e.stderr).lower()
|
||||||
|
if (e.exit_code == 1 and
|
||||||
|
diff --git a/cloudinit/util.py b/cloudinit/util.py
|
||||||
|
index 343976ad..fe37ae89 100644
|
||||||
|
--- a/cloudinit/util.py
|
||||||
|
+++ b/cloudinit/util.py
|
||||||
|
@@ -1831,6 +1831,20 @@ def chmod(path, mode):
|
||||||
|
os.chmod(path, real_mode)
|
||||||
|
|
||||||
|
|
||||||
|
+def get_group_id(grp_name: str) -> int:
|
||||||
|
+ """
|
||||||
|
+ Returns the group id of a group name, or -1 if no group exists
|
||||||
|
+
|
||||||
|
+ @param grp_name: the name of the group
|
||||||
|
+ """
|
||||||
|
+ gid = -1
|
||||||
|
+ try:
|
||||||
|
+ gid = grp.getgrnam(grp_name).gr_gid
|
||||||
|
+ except KeyError:
|
||||||
|
+ LOG.debug("Group %s is not a valid group name", grp_name)
|
||||||
|
+ return gid
|
||||||
|
+
|
||||||
|
+
|
||||||
|
def get_permissions(path: str) -> int:
|
||||||
|
"""
|
||||||
|
Returns the octal permissions of the file/folder pointed by the path,
|
||||||
|
--
|
||||||
|
2.27.0
|
||||||
|
|
@ -0,0 +1,45 @@
|
|||||||
|
From ec9c280ad24900ad078a0f371fa8b4f5f407ee90 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Emanuele Giuseppe Esposito <eesposit@redhat.com>
|
||||||
|
Date: Tue, 26 Oct 2021 21:52:45 +0200
|
||||||
|
Subject: [PATCH] remove unnecessary EOF string in
|
||||||
|
disable-sshd-keygen-if-cloud-init-active.conf (#1075)
|
||||||
|
|
||||||
|
RH-Author: Emanuele Giuseppe Esposito <eesposit@redhat.com>
|
||||||
|
RH-MergeRequest: 13: remove unnecessary EOF string in disable-sshd-keygen-if-cloud-init-active.conf (#1075)
|
||||||
|
RH-Commit: [1/1] 4c01a4bb86a73df3212bb4cf0388b2df707eddc4 (eesposit/cloud-init-centos-)
|
||||||
|
RH-Bugzilla: 2016305
|
||||||
|
RH-Acked-by: Eduardo Otubo <otubo@redhat.com>
|
||||||
|
RH-Acked-by: Mohamed Gamal Morsy <mmorsy@redhat.com>
|
||||||
|
|
||||||
|
commit a8380a125d40ff0ae88f2ba25a518346f2063a1a
|
||||||
|
Author: Emanuele Giuseppe Esposito <eesposit@redhat.com>
|
||||||
|
Date: Tue Oct 26 16:15:47 2021 +0200
|
||||||
|
|
||||||
|
remove unnecessary EOF string in disable-sshd-keygen-if-cloud-init-active.conf (#1075)
|
||||||
|
|
||||||
|
Running 'systemd-analyze verify cloud-init-local.service'
|
||||||
|
triggers the following warning:
|
||||||
|
|
||||||
|
disable-sshhd-keygen-if-cloud-init-active.conf:8: Missing '=', ignoring line.
|
||||||
|
|
||||||
|
The string "EOF" is probably a typo, so remove it.
|
||||||
|
|
||||||
|
Signed-off-by: Emanuele Giuseppe Esposito <eesposit@redhat.com>
|
||||||
|
|
||||||
|
Signed-off-by: Emanuele Giuseppe Esposito <eesposit@redhat.com>
|
||||||
|
---
|
||||||
|
systemd/disable-sshd-keygen-if-cloud-init-active.conf | 1 -
|
||||||
|
1 file changed, 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/systemd/disable-sshd-keygen-if-cloud-init-active.conf b/systemd/disable-sshd-keygen-if-cloud-init-active.conf
|
||||||
|
index 71e35876..1a5d7a5a 100644
|
||||||
|
--- a/systemd/disable-sshd-keygen-if-cloud-init-active.conf
|
||||||
|
+++ b/systemd/disable-sshd-keygen-if-cloud-init-active.conf
|
||||||
|
@@ -5,4 +5,3 @@
|
||||||
|
#
|
||||||
|
[Unit]
|
||||||
|
ConditionPathExists=!/run/systemd/generator.early/multi-user.target.wants/cloud-init.target
|
||||||
|
-EOF
|
||||||
|
--
|
||||||
|
2.27.0
|
||||||
|
|
@ -0,0 +1,86 @@
|
|||||||
|
From ce346f6057377c7bb9b89703fb8855ccf4947a61 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Emanuele Giuseppe Esposito <eesposit@redhat.com>
|
||||||
|
Date: Wed, 8 Sep 2021 16:08:12 +0200
|
||||||
|
Subject: [PATCH] ssh_utils.py: ignore when sshd_config options are not
|
||||||
|
key/value pairs
|
||||||
|
|
||||||
|
RH-Author: Emanuele Giuseppe Esposito <eesposit@redhat.com>
|
||||||
|
RH-MergeRequest: 10: ssh_utils.py: ignore when sshd_config options are not key/value pairs
|
||||||
|
RH-Commit: [1/1] 546081571e8b6b1415aae1a04660137070532fae (eesposit/cloud-init-centos-)
|
||||||
|
RH-Bugzilla: 2002302
|
||||||
|
RH-Acked-by: Eduardo Otubo <otubo@redhat.com>
|
||||||
|
RH-Acked-by: Vitaly Kuznetsov <vkuznets@redhat.com>
|
||||||
|
RH-Acked-by: Mohamed Gamal Morsy <mmorsy@redhat.com>
|
||||||
|
|
||||||
|
TESTED: by me
|
||||||
|
BREW: 39622506
|
||||||
|
|
||||||
|
commit 2ce857248162957a785af61c135ca8433fdbbcde
|
||||||
|
Author: Emanuele Giuseppe Esposito <eesposit@redhat.com>
|
||||||
|
Date: Wed Sep 8 02:08:36 2021 +0200
|
||||||
|
|
||||||
|
ssh_utils.py: ignore when sshd_config options are not key/value pairs (#1007)
|
||||||
|
|
||||||
|
As specified in #LP 1845552,
|
||||||
|
In cloudinit/ssh_util.py, in parse_ssh_config_lines(), we attempt to
|
||||||
|
parse each line of sshd_config. This function expects each line to
|
||||||
|
be one of the following forms:
|
||||||
|
|
||||||
|
\# comment
|
||||||
|
key value
|
||||||
|
key=value
|
||||||
|
|
||||||
|
However, options like DenyGroups and DenyUsers are specified to
|
||||||
|
*optionally* accepts values in sshd_config.
|
||||||
|
Cloud-init should comply to this and skip the option if a value
|
||||||
|
is not provided.
|
||||||
|
|
||||||
|
Signed-off-by: Emanuele Giuseppe Esposito <eesposit@redhat.com>
|
||||||
|
|
||||||
|
Signed-off-by: Emanuele Giuseppe Esposito <eesposit@redhat.com>
|
||||||
|
---
|
||||||
|
cloudinit/ssh_util.py | 8 +++++++-
|
||||||
|
tests/unittests/test_sshutil.py | 8 ++++++++
|
||||||
|
2 files changed, 15 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/cloudinit/ssh_util.py b/cloudinit/ssh_util.py
|
||||||
|
index 9ccadf09..33679dcc 100644
|
||||||
|
--- a/cloudinit/ssh_util.py
|
||||||
|
+++ b/cloudinit/ssh_util.py
|
||||||
|
@@ -484,7 +484,13 @@ def parse_ssh_config_lines(lines):
|
||||||
|
try:
|
||||||
|
key, val = line.split(None, 1)
|
||||||
|
except ValueError:
|
||||||
|
- key, val = line.split('=', 1)
|
||||||
|
+ try:
|
||||||
|
+ key, val = line.split('=', 1)
|
||||||
|
+ except ValueError:
|
||||||
|
+ LOG.debug(
|
||||||
|
+ "sshd_config: option \"%s\" has no key/value pair,"
|
||||||
|
+ " skipping it", line)
|
||||||
|
+ continue
|
||||||
|
ret.append(SshdConfigLine(line, key, val))
|
||||||
|
return ret
|
||||||
|
|
||||||
|
diff --git a/tests/unittests/test_sshutil.py b/tests/unittests/test_sshutil.py
|
||||||
|
index a66788bf..08e20050 100644
|
||||||
|
--- a/tests/unittests/test_sshutil.py
|
||||||
|
+++ b/tests/unittests/test_sshutil.py
|
||||||
|
@@ -525,6 +525,14 @@ class TestUpdateSshConfigLines(test_helpers.CiTestCase):
|
||||||
|
self.assertEqual([self.pwauth], result)
|
||||||
|
self.check_line(lines[-1], self.pwauth, "no")
|
||||||
|
|
||||||
|
+ def test_option_without_value(self):
|
||||||
|
+ """Implementation only accepts key-value pairs."""
|
||||||
|
+ extended_exlines = self.exlines.copy()
|
||||||
|
+ denyusers_opt = "DenyUsers"
|
||||||
|
+ extended_exlines.append(denyusers_opt)
|
||||||
|
+ lines = ssh_util.parse_ssh_config_lines(list(extended_exlines))
|
||||||
|
+ self.assertNotIn(denyusers_opt, str(lines))
|
||||||
|
+
|
||||||
|
def test_single_option_updated(self):
|
||||||
|
"""A single update should have change made and line updated."""
|
||||||
|
opt, val = ("UsePAM", "no")
|
||||||
|
--
|
||||||
|
2.27.0
|
||||||
|
|
@ -1,6 +1,6 @@
|
|||||||
Name: cloud-init
|
Name: cloud-init
|
||||||
Version: 21.1
|
Version: 21.1
|
||||||
Release: 7%{?dist}
|
Release: 12%{?dist}
|
||||||
Summary: Cloud instance init scripts
|
Summary: Cloud instance init scripts
|
||||||
License: ASL 2.0 or GPLv3
|
License: ASL 2.0 or GPLv3
|
||||||
URL: http://launchpad.net/cloud-init
|
URL: http://launchpad.net/cloud-init
|
||||||
@ -20,6 +20,16 @@ Patch6: ci-write-passwords-only-to-serial-console-lock-down-clo.patch
|
|||||||
Patch7: ci-ssh-util-allow-cloudinit-to-merge-all-ssh-keys-into-.patch
|
Patch7: ci-ssh-util-allow-cloudinit-to-merge-all-ssh-keys-into-.patch
|
||||||
# For bz#1979099 - [cloud-init]Customize ssh AuthorizedKeysFile causes login failure[RHEL-9.0]
|
# For bz#1979099 - [cloud-init]Customize ssh AuthorizedKeysFile causes login failure[RHEL-9.0]
|
||||||
Patch8: ci-Stop-copying-ssh-system-keys-and-check-folder-permis.patch
|
Patch8: ci-Stop-copying-ssh-system-keys-and-check-folder-permis.patch
|
||||||
|
# For bz#1995843 - [cloudinit] Fix home permissions modified by ssh module
|
||||||
|
Patch9: ci-Fix-home-permissions-modified-by-ssh-module-SC-338-9.patch
|
||||||
|
# For bz#2002302 - cloud-init fails with ValueError: need more than 1 value to unpack[rhel-9]
|
||||||
|
Patch10: ci-ssh_utils.py-ignore-when-sshd_config-options-are-not.patch
|
||||||
|
# For bz#2002492 - util.py[WARNING]: Failed generating key type rsa to file /etc/ssh/ssh_host_rsa_key
|
||||||
|
Patch11: ci-Inhibit-sshd-keygen-.service-if-cloud-init-is-active.patch
|
||||||
|
# For bz#2015974 - cloud-init fails to set host key permissions correctly
|
||||||
|
Patch12: ci-cc_ssh.py-fix-private-key-group-owner-and-permission.patch
|
||||||
|
# For bz#2016305 - disable-sshd-keygen-if-cloud-init-active.conf:8: Missing '=', ignoring line
|
||||||
|
Patch13: ci-remove-unnecessary-EOF-string-in-disable-sshd-keygen.patch
|
||||||
|
|
||||||
# Source-git patches
|
# Source-git patches
|
||||||
|
|
||||||
@ -211,12 +221,38 @@ fi
|
|||||||
%{_bindir}/cloud-id
|
%{_bindir}/cloud-id
|
||||||
%{_libexecdir}/%{name}/ds-identify
|
%{_libexecdir}/%{name}/ds-identify
|
||||||
%{_systemdgeneratordir}/cloud-init-generator
|
%{_systemdgeneratordir}/cloud-init-generator
|
||||||
|
%{_sysconfdir}/systemd/system/sshd-keygen@.service.d/disable-sshd-keygen-if-cloud-init-active.conf
|
||||||
|
|
||||||
%dir %{_sysconfdir}/rsyslog.d
|
%dir %{_sysconfdir}/rsyslog.d
|
||||||
%config(noreplace) %{_sysconfdir}/rsyslog.d/21-cloudinit.conf
|
%config(noreplace) %{_sysconfdir}/rsyslog.d/21-cloudinit.conf
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Mon Nov 01 2021 Miroslav Rezanina <mrezanin@redhat.com> - 21.1-12
|
||||||
|
- ci-remove-unnecessary-EOF-string-in-disable-sshd-keygen.patch [bz#2016305]
|
||||||
|
- Resolves: bz#2016305
|
||||||
|
(disable-sshd-keygen-if-cloud-init-active.conf:8: Missing '=', ignoring line)
|
||||||
|
|
||||||
|
* Tue Oct 26 2021 Miroslav Rezanina <mrezanin@redhat.com> - 21.1-11
|
||||||
|
- ci-cc_ssh.py-fix-private-key-group-owner-and-permission.patch [bz#2015974]
|
||||||
|
- Resolves: bz#2015974
|
||||||
|
(cloud-init fails to set host key permissions correctly)
|
||||||
|
|
||||||
|
* Mon Oct 18 2021 Miroslav Rezanina <mrezanin@redhat.com> - 21.1-10
|
||||||
|
- ci-Inhibit-sshd-keygen-.service-if-cloud-init-is-active.patch [bz#2002492]
|
||||||
|
- ci-add-the-drop-in-also-in-the-files-section-of-cloud-i.patch [bz#2002492]
|
||||||
|
- Resolves: bz#2002492
|
||||||
|
(util.py[WARNING]: Failed generating key type rsa to file /etc/ssh/ssh_host_rsa_key)
|
||||||
|
|
||||||
|
* Fri Sep 10 2021 Miroslav Rezanina <mrezanin@redhat.com> - 21.1-9
|
||||||
|
- ci-ssh_utils.py-ignore-when-sshd_config-options-are-not.patch [bz#2002302]
|
||||||
|
- Resolves: bz#2002302
|
||||||
|
(cloud-init fails with ValueError: need more than 1 value to unpack[rhel-9])
|
||||||
|
|
||||||
|
* Fri Sep 03 2021 Miroslav Rezanina <mrezanin@redhat.com> - 21.1-8
|
||||||
|
- ci-Fix-home-permissions-modified-by-ssh-module-SC-338-9.patch [bz#1995843]
|
||||||
|
- Resolves: bz#1995843
|
||||||
|
([cloudinit] Fix home permissions modified by ssh module)
|
||||||
|
|
||||||
* Mon Aug 16 2021 Miroslav Rezanina <mrezanin@redhat.com> - 21.1-7
|
* Mon Aug 16 2021 Miroslav Rezanina <mrezanin@redhat.com> - 21.1-7
|
||||||
- ci-Stop-copying-ssh-system-keys-and-check-folder-permis.patch [bz#1979099]
|
- ci-Stop-copying-ssh-system-keys-and-check-folder-permis.patch [bz#1979099]
|
||||||
- ci-Report-full-specific-version-with-cloud-init-version.patch [bz#1971002]
|
- ci-Report-full-specific-version-with-cloud-init-version.patch [bz#1971002]
|
||||||
|
Loading…
Reference in New Issue
Block a user