cloud-init

cloud.cfg.tmpl should not include "ssh_deletekeys: 0"

Bug #1781094 reported by Doran Moppert
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
cloud-init
Fix Released
Medium
Unassigned

Bug Description

It seems that cloud-init inherited from Fedora the inclusion of "ssh_deletekeys: 0" in cloud.cfg.tmpl (commit 41d46bfb85). This is risky in orchestration environments where an instance might be used as a master or template, and cloned from without other tools removing SSH host keys. We believe that line should be removed from cloud.cfg.tmpl to reduce the risk of it being used in such environments.

CVE-2018-10896 has been assigned [1]. On the Fedora bug [2] we are looking into history.

1: https://access.redhat.com/security/cve/cve-2018-10896
2: https://bugzilla.redhat.com/show_bug.cgi?id=1598832

Related branches

~chad.smith/cloud-init:ubuntu/devel
Scott Moser: Approve
Server Team CI bot: Approve (continuous-integration)
Diff: 799 lines (+496/-39)
14 files modified
bash_completion/cloud-init (+5/-2)
cloudinit/cmd/devel/net_convert.py (+23/-12)
cloudinit/cmd/devel/parser.py (+13/-7)
cloudinit/net/eni.py (+9/-2)
cloudinit/net/netplan.py (+4/-0)
cloudinit/sources/DataSourceOpenNebula.py (+1/-1)
config/cloud.cfg.tmpl (+0/-2)
debian/changelog (+14/-0)
doc/rtd/topics/debugging.rst (+1/-1)
tests/unittests/test_cli.py (+1/-2)
tests/unittests/test_datasource/test_opennebula.py (+406/-2)
tests/unittests/test_net.py (+6/-0)
tools/Z99-cloud-locale-test.sh (+8/-5)
tools/Z99-cloudinit-warnings.sh (+5/-3)
~smoser/cloud-init:fix/1781094-ssh-deletekeys
Ryan Harper: Approve
Server Team CI bot: Approve (continuous-integration)
Diff: 13 lines (+0/-2)
1 file modified
config/cloud.cfg.tmpl (+0/-2)
Revision history for this message
Scott Moser (smoser) wrote :

I'll fix the upstream config/cloud.cfg.tmpl to not include 'ssh_deletekeys: 0'.
Is there anything else expected there?

FWIW, this is from cloud-init commit:
 https://git.launchpad.net/cloud-init/commit/?id=7fc73a8d55857

which references that it came from fedora packaging commit
 87f33190f43d2b26cced4597e7298835024466c2
https://src.fedoraproject.org/cgit/rpms/cloud-init.git/commit/?id=87f33190f43d2b26cced4597e7298835024466c2

Changed in cloud-init:
importance: Undecided → Medium
status: New → Triaged
Revision history for this message
Scott Moser (smoser) wrote :

related bug https://bugzilla.redhat.com/show_bug.cgi?id=1598831

summary: - cloud.cfg.tmp should not include "ssh_deletekeys: 0"
+ cloud.cfg.tmpl should not include "ssh_deletekeys: 0"
Revision history for this message
Scott Moser (smoser) wrote :

Hi Doran,
I've proposed a merge to fix this at
 https://code.launchpad.net/~smoser/cloud-init/+git/cloud-init/+merge/349359

Please review and test.

Revision history for this message
Server Team CI bot (server-team-bot) wrote :

This bug is fixed with commit e218c597 to cloud-init on branch master.
To view that commit see the following URL:
https://git.launchpad.net/cloud-init/commit/?id=e218c597

Changed in cloud-init:
status: Triaged → Fix Committed
Revision history for this message
Scott Moser (smoser) wrote : Fixed in cloud-init version 18.4.

This bug is believed to be fixed in cloud-init in version 18.4. If this is still a problem for you, please make a comment and set the state back to New

Thank you.

Changed in cloud-init:
status: Fix Committed → Fix Released
Revision history for this message
James Falcon (falcojr) wrote :

Tracked in Github Issues as https://github.com/canonical/cloud-init/issues/3209

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.