** Description changed: - cloud-init 20.4 or later will incorrectly add Azure publicKeys to - .ssh/authorized_keys preventing ssh access for cloud-generated keys. + == Begin SRU Template == + [Impact] + This release is only a single functional cherry-pick which solely affects Azure platform. It is a critical bug we wish to release as soon as possible + * Azure: cherry-pick 4f62ae8d: Fix regression with handling of IMDS ssh keys + (#760) (LP: #1910835) + + + [Test Case] + The following development and SRU process was followed: + https://wiki.ubuntu.com/CloudinitUpdates + + The cloud-init team will be in charge of attaching the artifacts and + console output of the appropriate run to the bug. cloud-init team + members will not mark ‘verification-done’ until this has happened. + + * Automated Test Results + <TODO: attach automated cloud-init-proposed test artifacts from tests for each release with lxd artifacts> + <TODO: attach automated cloud-init-proposed test artifacts from tests for each release with kvm artifacts> + <TODO: attach automated curtin vmtest with cloud-init proposed> + <TODO: attach Solutions Testing team test results for each LTS> + + * Manual Test Results + <TODO: attach manual cloud-init-proposed test artifacts from tests for each release on ec2 datasource> + <TODO: attach manual cloud-init-proposed test artifacts from tests for each release on gce datasource> + <TODO: attach manual cloud-init-proposed test artifacts from tests for each release on azure datasource> + + [Regression Potential] + In order to mitigate the regression potential, the results of the + aforementioned integration tests are attached to this bug. + + [Discussion] + This should only affect public Azure VM launched which use Azure to --generate-ssh-keys either from the dashboard or from the `az cli` + + + Any other cloud-platform is not affected by this change. + + + == End SRU Template == + + * cherry-pick 4f62ae8d: Fix regression with handling of IMDS ssh keys + (#760) (LP: #1910835) + + + == Original Description == + + + cloud-init 20.4 or later will incorrectly add Azure publicKeys to .ssh/authorized_keys preventing ssh access for cloud-generated keys. To reproduce: launch an ubuntu VM from the portal.azure.com choosing to generate new ssh key. When the instance is launched you can see that the ssh-rsa content provided in the metadata publicKeys value contains CRLF characters (\r\n) thus splitting the content of the pubkey onto multiple lines when it is rendered into .ssh/authorized_keys. - - the solution is either for IMDS to stop adding the CRLF characters or cloud-init to strip them out. - + the solution is either for IMDS to stop adding the CRLF characters or + cloud-init to strip them out. Here is the IMDS value provided to cloud-init cloud-init query --format '{{ds.meta_data.imds.compute.publicKeys}}' [{'keyData': 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCllNnyHXFWlMb9EKD9LZrOxt1d\r\nk/QxYwQ0HYEP8n6TUWoUsN3mv/Qk/qWH76Pa6f33hefzTFRiom7Ls/tJMcr/ki8R\r\n9FqyYOu0xxHmpXTUWFoZQCZtGRMtvDl/s76Wr1sCsE/ez+EcAPeGGm/B7jHtDAUW\r\nlkINfuPVBDfRtSfmnlCKS+sIf1XOqvRASGWi05zAW921T4OkiattyXyhaOimJOwq\r\n4jAXmydwtNCN2iGGKWS8YeXbtgveReqZVVKtcDKevgWdNyqZa69uq9tRujobjCh7\r\n6xxCkQcdCLospgqX79GBbdRys6mVxVgc349RIWjQwglRQpJwNzkeOG5Q+La2MEhu\r\niKqKJMvYVhil3khzMuZwzmTrGbRx0E8AS+Cm064RBgbcdjCW8dDYGLuk2eQ2v9Ht\r\n6eERfxMBNg3udv1jmiKpjjHIg99HDU4VqhL3aHmg+TSrxByd0cAgFBV+H0CiUVC9\r\nS2mLJ6Peu/HDwd88E8Wqiv3eAsjcaCRH3QiQVaU= generated-by-azure\r\n', 'path': '/home/ubuntu/.ssh/authorized_keys'}] - - cloud-init renders this directly to .ssh/authorized_keys without processing the string, resulting in an invalid keyline: + cloud-init renders this directly to .ssh/authorized_keys without + processing the string, resulting in an invalid keyline: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCllNnyHXFWlMb9EKD9LZrOxt1d k/QxYwQ0HYEP8n6TUWoUsN3mv/Qk/qWH76Pa6f33hefzTFRiom7Ls/tJMcr/ki8R^M 9FqyYOu0xxHmpXTUWFoZQCZtGRMtvDl/s76Wr1sCsE/ez+EcAPeGGm/B7jHtDAUW^M lkINfuPVBDfRtSfmnlCKS+sIf1XOqvRASGWi05zAW921T4OkiattyXyhaOimJOwq^M 4jAXmydwtNCN2iGGKWS8YeXbtgveReqZVVKtcDKevgWdNyqZa69uq9tRujobjCh7^M 6xxCkQcdCLospgqX79GBbdRys6mVxVgc349RIWjQwglRQpJwNzkeOG5Q+La2MEhu^M iKqKJMvYVhil3khzMuZwzmTrGbRx0E8AS+Cm064RBgbcdjCW8dDYGLuk2eQ2v9Ht^M 6eERfxMBNg3udv1jmiKpjjHIg99HDU4VqhL3aHmg+TSrxByd0cAgFBV+H0CiUVC9^M S2mLJ6Peu/HDwd88E8Wqiv3eAsjcaCRH3QiQVaU= generated-by-azure - this prevents ssh from actually reading the right key from azure: $ ssh-keygen -lf /home/ubuntu/.ssh/authorized_keys If we strip the CRLF (^M) characters and reparse with ssh-keygenm we see the proper key registered: $ ssh-keygen -lf /home/ubuntu/.ssh/authorized_keys 3072 SHA256:PQ9EKxTKONJKFC2N56UpL6+Oc/cujfA9HpsF5VW2QDI generated-by-azure (RSA) - If cloud-init (or IMDS) were to strip those \r\n characters from each line ssh
** Description changed: == Begin SRU Template == [Impact] This release is only a single functional cherry-pick which solely affects Azure platform. It is a critical bug we wish to release as soon as possible - * Azure: cherry-pick 4f62ae8d: Fix regression with handling of IMDS ssh keys - (#760) (LP: #1910835) + * Azure: cherry-pick 4f62ae8d: Fix regression with handling of IMDS ssh keys + (#760) (LP: #1910835) + + The functional changeset here introduces a raise KeyError exception + which forces cloud-init to revert to previous released logic of the + previous cloud-init public release 20.3. [Test Case] The following development and SRU process was followed: https://wiki.ubuntu.com/CloudinitUpdates The cloud-init team will be in charge of attaching the artifacts and console output of the appropriate run to the bug. cloud-init team members will not mark ‘verification-done’ until this has happened. * Automated Test Results <TODO: attach automated cloud-init-proposed test artifacts from tests for each release with lxd artifacts> <TODO: attach automated cloud-init-proposed test artifacts from tests for each release with kvm artifacts> <TODO: attach automated curtin vmtest with cloud-init proposed> <TODO: attach Solutions Testing team test results for each LTS> * Manual Test Results <TODO: attach manual cloud-init-proposed test artifacts from tests for each release on ec2 datasource> <TODO: attach manual cloud-init-proposed test artifacts from tests for each release on gce datasource> <TODO: attach manual cloud-init-proposed test artifacts from tests for each release on azure datasource> [Regression Potential] In order to mitigate the regression potential, the results of the aforementioned integration tests are attached to this bug. [Discussion] This should only affect public Azure VM launched which use Azure to --generate-ssh-keys either from the dashboard or from the `az cli` - Any other cloud-platform is not affected by this change. - == End SRU Template == - * cherry-pick 4f62ae8d: Fix regression with handling of IMDS ssh keys - (#760) (LP: #1910835) - + * cherry-pick 4f62ae8d: Fix regression with handling of IMDS ssh keys + (#760) (LP: #1910835) == Original Description == - - cloud-init 20.4 or later will incorrectly add Azure publicKeys to .ssh/authorized_keys preventing ssh access for cloud-generated keys. + cloud-init 20.4 or later will incorrectly add Azure publicKeys to + .ssh/authorized_keys preventing ssh access for cloud-generated keys. To reproduce: launch an ubuntu VM from the portal.azure.com choosing to generate new ssh key. When the instance is launched you can see that the ssh-rsa content provided in the metadata publicKeys value contains CRLF characters (\r\n) thus splitting the content of the pubkey onto multiple lines when it is rendered into .ssh/authorized_keys. the solution is either for IMDS to stop adding the CRLF characters or cloud-init to strip them out. Here is the IMDS value provided to cloud-init cloud-init query --format '{{ds.meta_data.imds.compute.publicKeys}}' [{'keyData': 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCllNnyHXFWlMb9EKD9LZrOxt1d\r\nk/QxYwQ0HYEP8n6TUWoUsN3mv/Qk/qWH76Pa6f33hefzTFRiom7Ls/tJMcr/ki8R\r\n9FqyYOu0xxHmpXTUWFoZQCZtGRMtvDl/s76Wr1sCsE/ez+EcAPeGGm/B7jHtDAUW\r\nlkINfuPVBDfRtSfmnlCKS+sIf1XOqvRASGWi05zAW921T4OkiattyXyhaOimJOwq\r\n4jAXmydwtNCN2iGGKWS8YeXbtgveReqZVVKtcDKevgWdNyqZa69uq9tRujobjCh7\r\n6xxCkQcdCLospgqX79GBbdRys6mVxVgc349RIWjQwglRQpJwNzkeOG5Q+La2MEhu\r\niKqKJMvYVhil3khzMuZwzmTrGbRx0E8AS+Cm064RBgbcdjCW8dDYGLuk2eQ2v9Ht\r\n6eERfxMBNg3udv1jmiKpjjHIg99HDU4VqhL3aHmg+TSrxByd0cAgFBV+H0CiUVC9\r\nS2mLJ6Peu/HDwd88E8Wqiv3eAsjcaCRH3QiQVaU= generated-by-azure\r\n', 'path': '/home/ubuntu/.ssh/authorized_keys'}] cloud-init renders this directly to .ssh/authorized_keys without processing the string, resulting in an invalid keyline: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCllNnyHXFWlMb9EKD9LZrOxt1d k/QxYwQ0HYEP8n6TUWoUsN3mv/Qk/qWH76Pa6f33hefzTFRiom7Ls/tJMcr/ki8R^M 9FqyYOu0xxHmpXTUWFoZQCZtGRMtvDl/s76Wr1sCsE/ez+EcAPeGGm/B7jHtDAUW^M lkINfuPVBDfRtSfmnlCKS+sIf1XOqvRASGWi05zAW921T4OkiattyXyhaOimJOwq^M 4jAXmydwtNCN2iGGKWS8YeXbtgveReqZVVKtcDKevgWdNyqZa69uq9tRujobjCh7^M 6xxCkQcdCLospgqX79GBbdRys6mVxVgc349RIWjQwglRQpJwNzkeOG5Q+La2MEhu^M iKqKJMvYVhil3khzMuZwzmTrGbRx0E8AS+Cm064RBgbcdjCW8dDYGLuk2eQ2v9Ht^M 6eERfxMBNg3udv1jmiKpjjHIg99HDU4VqhL3aHmg+TSrxByd0cAgFBV+H0CiUVC9^M S2mLJ6Peu/HDwd88E8Wqiv3eAsjcaCRH3QiQVaU= generated-by-azure this prevents ssh from actually reading the right key from azure: $ ssh-keygen -lf /home/ubuntu/.ssh/authorized_keys If we strip the CRLF (^M) characters and reparse with ssh-keygenm we see the proper key registered: $ ssh-keygen -lf /home/ubuntu/.ssh/authorized_keys 3072 SHA256:PQ9EKxTKONJKFC2N56UpL6+Oc/cujfA9HpsF5VW2QDI generated-by-azure (RSA) If cloud-init (or IMDS) were to strip those \r\n characters from each line ssh -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1910835 Title: Azure IMDS publicKeys contain \r\n which prevents ssh access to vms using cloud-generated ssh keys. To manage notifications about this bug go to: https://bugs.launchpad.net/cloud-init/+bug/1910835/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
