~chad.smith/cloud-init:feature/ssh-redirect-user

Branch merges

Propose for merging

Merged into cloud-init:master

Scott Moser: Approve on 2018-09-08

Server Team CI bot: Approve (continuous-integration) on 2018-09-08

Diff: 577 lines (+337/-23)

9 files modified

cloudinit/config/cc_ssh.py (+2/-5)
cloudinit/config/cc_users_groups.py (+39/-2)
cloudinit/config/tests/test_ssh.py (+13/-9)
cloudinit/config/tests/test_users_groups.py (+144/-0)
cloudinit/distros/__init__.py (+19/-2)
cloudinit/ssh_util.py (+6/-0)
doc/examples/cloud-config-user-groups.txt (+9/-0)
doc/examples/cloud-config.txt (+16/-3)
tests/unittests/test_distros/test_create_users.py (+89/-2)

api

Related source package recipes

No recipes using this branch. (?)

Create packaging recipe

Related snap packages

Related charm recipes

837e6e0... by Chad Smith on 2018-09-07

docs

95e82cc... by Chad Smith on 2018-09-07

tests: fix for py2 py3

- use assertItemsEqual to allow for unordered lists in different envs
- use regex in unit tests to catch int/class type differences in py2/3

9a12b60... by Chad Smith on 2018-09-07

pyflakes

76442cd... by Chad Smith on 2018-09-07

raise ValueErrors if ssh_authorized_keys or ssh_import_id are passed with ssh_redirect_user

d9b95e1... by Chad Smith on 2018-09-07

lints and unit tests for distro.create_user redirects

9bdf570... by Chad Smith on 2018-09-07

unittests, flakes and log warning on no default_user

c47db42... by Chad Smith on 2018-09-06

pycodestyle

95106bd... by Chad Smith on 2018-09-06

docs: rtd entries for ssh_redirect_user

27f46b9... by Chad Smith on 2018-09-06

config: disable ssh access to a configured user account

Vendor-data or user-data can now disable ssh access to a non-root user
which cloud-init creates.

The only difference is configuration now allows disabling a specific
non-root user.

When defining the 'users' list in cloud-configuration a boolean
'ssh_redirect_user: true' can be provided for any user will disable
ssh logins for that specific user. Any public-ssh-keys defined in cloud
meta-data will be added as authorized_keys which will be in a disabled
state preventing successful ssh login. Any attempts to ssh as this user
using acceptable ssh keys will be greeted with a message like the
following:

Please login as the user "ubuntu" rather than the user "cantlogin".

This behavior is equivalent to the existing disable_root config option
for non-root users.

f2dad8b... by Francis Ginther on 2018-08-30

Attempt to pass in cloud and default users ssh keys to the redirect user