| === cpaelzer_ is now known as cpaelzer | ||
| === jrm2 is now known as jrm | ||
| meena | https://bugs.launchpad.net/cloud-init/+bug/1853470 i think this can be closed | 15:17 |
|---|---|---|
| -ubottu:#cloud-init- Launchpad bug 1853470 in cloud-init "parse_timestamp_from_date requires GNU coreutils' date" [Undecided, Triaged] | 15:17 | |
| Mazorius | Hi, I use cloud-init to generate my host-key provided by Terraform. I have an issue that the access rights getting changed from 0644 to 0600. Is this intended or a bug? | 18:24 |
| meena | Mazorius: how are you writing this file? | 18:58 |
| Mazorius | @mee | 19:00 |
| Mazorius | meena I setting it up via the cloud.init sshd module: | 19:01 |
| Mazorius | disable_root: true | 19:01 |
| Mazorius | ssh_deletekeys: true | 19:02 |
| Mazorius | ssh_genkeytypes: [] | 19:02 |
| Mazorius | ssh_keys: | 19:02 |
| Mazorius | ed25519_private: | | 19:02 |
| Mazorius | ${indent(4, host_key.private_key_openssh)} | 19:02 |
| Mazorius | ed25519_public: ${host_key.public_key_openssh} | 19:02 |
| Mazorius | it is a Terraform template | 19:02 |
| meena | private key. | 19:04 |
| meena | private key, 0644. sounds very wrong | 19:04 |
| waldi | Mazorius: please be more specific. what are you seeing and why do you think it is not correct? | 19:06 |
| minimal | Mazorius: why are you creating a host key in Terraform? cloud-init can create that itself. Normally a host private key should be created on-device and never leave the device | 19:09 |
| Mazorius | minimal for a git remote installation you need to provide a fixed host key and can not simply use always a new generated. So that is not possible in this case. | 19:10 |
| Mazorius | waldi the git server is not able to read the Host-key as it is only readable by root (0600) when I change it to (0644) which is ne normal case everything works as expected. | 19:11 |
| waldi | Mazorius: the host key is supposed to be not readable | 19:12 |
| Mazorius | meena for a private key you are completely right. Sorry. It is only about the public key | 19:12 |
| waldi | sorry, but this is a xy-problem, not a cloud-init problem | 19:12 |
| minimal | generally speaking a host's SSH private key should only be readable by the SSH server | 19:13 |
| Mazorius | of course but not the public key and this is also 0600 instead of 0644 which would be correct. | 19:13 |
| Mazorius | Sorry for the mistake with the private key.;) | 19:13 |
| waldi | well, it is because the cloud-init is told to do that: | 19:17 |
| waldi | f"{k}_private": (KEY_FILE_TPL % k, 0o600), | 19:17 |
| waldi | f"{k}_public": (f"{KEY_FILE_TPL % k}.pub", 0o600), | 19:17 |
| waldi | nothing wrong with that, nothing apart sshd needs to read even the public key | 19:17 |
| minimal | Mazorius: what software on your host needs access to the host public key? | 19:19 |
| Mazorius | minimal GitLab | 19:26 |
| Mazorius | so it is intended and is not possible to be changed in anyway? waldi | 19:26 |
| minimal | as a workaround you could use a "runcmd:" entry to change the permissions | 19:29 |
| Mazorius | I did that but want to be sure if this is the only solution. Thanks all of you. | 19:31 |
| minimal | not being familiar with Gitlab installation I still do not see why a specific priv/pub host key set have to be provided rather than using an autogenerated set | 19:31 |
| minimal | Mazorius: well it may well make sense to change cc_ssh.py to use 644 rather than 600 for the *public* host key, the way to (potentially) change that would be for someone to submit a PR | 19:33 |
| minimal | actually looking on a cloud-init configured VM here I see the public host key *IS* -rw-r--r-- | 19:35 |
| waldi | minimal: you did not supply the key, but let cloud-init generate it? | 19:38 |
| minimal | yes that's cloud-init generated | 19:38 |
| waldi | that's the difference | 19:38 |
| minimal | ok, I still understand why Mazorius cannot use a c-i generated key during his gitlab installation - no info has been provided as to why that won't work | 19:39 |
| minimal | waldi: ah, here's where it is set for autogenerated public key: https://github.com/canonical/cloud-init/blob/9c7502a801763520639c66125eb373123d1e4f44/cloudinit/config/cc_ssh.py#L282 | 19:42 |
| meena | Mazorius: what group does Gitlab run under? you can change the group, and give the group read access to the key: 0640 | 19:44 |
| waldi | meena: no, he can't, as cloud-init sets the permission to 0600 | 19:45 |
| minimal | but if he uses the autogenerated public key then every user on the system has read access to it...... | 19:46 |
| meena | or use install / chmod + chgrp in runcmd | 19:49 |
| Mazorius | meena it runs by default under the gitlab_rails group which is generated by the package installation | 20:03 |
| meena | Mazorius: which runs well after cloud-init? does it have a fixed GID? | 20:05 |
| Mazorius | interesting is that cloud-init seems to generate a pub key if provided with 0600: https://github.com/canonical/cloud-init/blob/9c7502a801763520639c66125eb373123d1e4f44/cloudinit/config/cc_ssh.py#L190 | 20:07 |
| Mazorius | but if not provided and simply generate it by itself with 0644: https://github.com/canonical/cloud-init/blob/9c7502a801763520639c66125eb373123d1e4f44/cloudinit/config/cc_ssh.py#L282 | 20:07 |
| Mazorius | And the private key with 0600 if provided and if not 0640 … so it somehow inconsistent in cloud-init or I am wrong? | 20:07 |
| Mazorius | Do not know that inside of the omnibus installation meena | 20:08 |
| minimal | we already discussed this difference in permissions | 20:08 |
| Mazorius | were was this discussed? As all tools I know use 0600 for private and 0644 for public: | 20:11 |
| Mazorius | e.g.: https://www.tenable.com/audits/items/CIS_Google_Container_Optimized_OS_v1.0.0_L1_Server.audit:7f016cd406100a1ee2ad94834111f005 | 20:11 |
| Mazorius | https://www.tenable.com/audits/items/CIS_Google_Container_Optimized_OS_v1.0.0_L1_Server.audit:6225b8224fbd4f360ebdc72c56f3eae9 | 20:11 |
| minimal | Mazorius: 30 minutes ago here when I said: | 20:12 |
| minimal | > "waldi: ah, here's where it is set for autogenerated public key: https://github.com/canonical/cloud-init/blob/9c7502a801763520639c66125eb373123d1e4f44/cloudinit/config/cc_ssh.py#L282" | 20:12 |
| Mazorius | ah you mean this:) If it is only changing this line I can of course create a PR for that. | 20:13 |
| minimal | and also 40 mins ago when I said: | 20:14 |
| minimal | "Mazorius: well it may well make sense to change cc_ssh.py to use 644 rather than 600 for the *public* host key, the way to (potentially) change that would be for someone to submit a PR" | 20:14 |
| Mazorius | minimal the PR: https://github.com/canonical/cloud-init/pull/1971 | 20:34 |
| -ubottu:#cloud-init- Pull 1971 in canonical/cloud-init "Fix permission of SSH host keys" [Open] | 20:34 | |
Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!