cloud-init

when multiple SSH host key certificates are defined, only one HostCertificate is referenced in sshd_config

Bug #1999164 reported by Robert Jacobson on 2022-12-08

6

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	cloud-init	Fix Released	High	Alberto Contreras

Bug Description

I'm not using a cloud provider; I'm installing Ubuntu 20.04 using autoinstall and the bug is triggered during cloud-init with user-data ( cloud-init 22.4.2-0ubuntu0~20.04.1 )

I defined 3 types of SSH host keys and certs in user-data. All 3 keys and certs ended up in /etc/ssh/, but in sshd_config, there is only one HostCertificate line for the RSA key.

user-data excerpt:

#cloud-config
autoinstall:
  version: 1
[...]
  user-data:
    timezone: UTC
    disable_root: false
    ssh_deletekeys: false
    ssh_genkeytypes: [rsa, ecdsa, ed25519]
    ssh_keys:
      rsa_private: |
        [REDACTED]
      rsa_public: |
        [REDACTED]
      rsa_certificate: |
        [REDACTED]
      ecdsa_private: |
        [REDACTED]
      ecdsa_public: |
        [REDACTED]
      ecdsa_certificate: |
        [REDACTED]
      ed25519_private: |
        [REDACTED]
      ed25519_public: |
        [REDACTED]
      ed25519_certificate: |
        [REDACTED]

Result:
in /etc/sshd/sshd_config, only one cert line: HostCertificate /etc/ssh/ssh_host_rsa_key-cert.pub

Revision history for this message

Robert Jacobson (teridon) wrote on 2022-12-08:

#1

cloud-init.tar.gz Edit (4.0 MiB, application/x-tar)

Revision history for this message

Robert Jacobson (teridon) wrote on 2022-12-08:

#2

apport.cloud-init.jd53drg7.apport Edit (4.1 MiB, text/plain)

Revision history for this message

James Falcon (falcojr) wrote on 2022-12-08:

#3

Reproduced on LXD using the cloud-config (minus the autoinstall). Triaging as high since it's ssh-related.

Changed in cloud-init:
status:	New → Confirmed
importance:	Undecided → High

Revision history for this message

Alberto Contreras (aciba) wrote on 2023-02-07:

#4

Tracking it in SC-1425.

Revision history for this message

Alberto Contreras (aciba) wrote on 2023-02-15:

#5

PR addressing this: https://github.com/canonical/cloud-init/pull/2018

Changed in cloud-init:
assignee:	nobody → Alberto Contreras (aciba)
status:	Confirmed → In Progress

Alberto Contreras (aciba) on 2023-02-16

Changed in cloud-init:
status:	In Progress → Fix Committed

Revision history for this message

Alberto Contreras (aciba) wrote on 2023-02-22: Fixed in cloud-init version 23.1.

#6

This bug is believed to be fixed in cloud-init in version 23.1. If this is still a problem for you, please make a comment and set the state back to New

Thank you.

Changed in cloud-init:
status:	Fix Committed → Fix Released

Revision history for this message

James Falcon (falcojr) wrote on 2023-05-12:

#7

Tracked in Github Issues as https://github.com/canonical/cloud-init/issues/4053

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Bug attachments

Add attachment

Remote bug watches

auto-github-canonical-cloud-init #4053
[closed launchpad priority] Edit

Bug watches keep track of this bug in other bug trackers.