cloud-init

Yubikey ssh public key not added to authorized_keys

Bug #1877869 reported by Gergely Imreh
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
cloud-init
Fix Released
Undecided
Unassigned

Bug Description

I have an ssh key generated for Yubikey, with "ssh-keygen -t ecdsa-sk ..." which results in an ssh public key of "<email address hidden> ...."

When I add that key to "ssh_authorized_keys", it doesn't get added to the authorized_keys file, even though other, regular "ssh-rsa" keys are added. For example this config:

#cloud-config
ssh_authorized_keys:
  - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC2qSqrC6lsKqpY6fKF2LDxET/DuCJcKGTFnpFHPWj0yqVsvqooUIDKXCgEXx0rOJaqUpnnXWfij0/Yr4l8GxmJGr9hpkG+MXhwYehDvbZHrP5C/MPyyOCqjPlr3d4touBAhCTNJapFSHYnoQfguuGbZDS8Nfvu6JYS0ODvbgp8z5BnZVVFW4J7ms2QQwHIyvc5kk6sUvlL1xqRu+2mLz4vPxTqGPPLDdfbSOapCI5i4yZxLziIWSOdPBUlAnFRV4ONKT7m3/pT2wUkObprCKZAMH+bL52GYxOToUXm6EaFUGR+ptiMWbQXHIxiZfxtinp6LfZouRJz9/+vKQoTBPXJ"
  - "<email address hidden> AAAAInNrLWVjZHNhLXNoYTItbmlzdHAyNTZAb3BlbnNzaC5jb20AAAAIbmlzdHAyNTYAAABBBIofALjMlvK/KmwHVhzqIV4HTylBjos4xQqRE+GKQqe1a/LOKTGluhneCq3WE5L9578ZLQENWPrqIoUWjg/XcxAAAAAEc3NoOg=="

results in only "ssh-rsa" key being added, (I've also tried specifying them in different order and the same outcome).

Tested on Ubuntu 20.04, on AWS.

See original description
Tags: bitesize
Revision history for this message
Gergely Imreh (imrehg) wrote :
description: updated
description: updated
Revision history for this message
Paride Legovini (paride) wrote :

Thanks Gergely for reporting this bug. It seems that the U2F key formats are not yet covered in ssh_util.py. The key formats are defined in [1] and we probably want to add all of:

  <email address hidden>
  <email address hidden>
  <email address hidden>
  <email address hidden>

[1] https://github.com/openssh/openssh-portable/blob/master/PROTOCOL.u2f

Changed in cloud-init:
status: New → Triaged
Dan Watkins (oddbloke)
tags: added: bitesize
Revision history for this message
Dan Watkins (oddbloke) wrote :

There's a PR for this open at https://github.com/canonical/cloud-init/pull/487.

Changed in cloud-init:
status: Triaged → In Progress
Revision history for this message
James Falcon (falcojr) wrote : Fixed in cloud-init version 20.3.

This bug is believed to be fixed in cloud-init in version 20.3. If this is still a problem for you, please make a comment and set the state back to New

Thank you.

Changed in cloud-init:
status: In Progress → Fix Released
Revision history for this message
James Falcon (falcojr) wrote :

Tracked in Github Issues as https://github.com/canonical/cloud-init/issues/3680

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.