[15:17] <meena> https://bugs.launchpad.net/cloud-init/+bug/1853470 i think this can be closed
[15:17] -ubottu:#cloud-init- Launchpad bug 1853470 in cloud-init "parse_timestamp_from_date requires GNU coreutils' date" [Undecided, Triaged]
[18:24] <Mazorius> Hi, I use cloud-init to generate my host-key provided by Terraform. I have an issue that the access rights getting changed from 0644 to 0600. Is this intended or a bug?
[18:58] <meena> Mazorius: how are you writing this file?
[19:00] <Mazorius> @mee
[19:01] <Mazorius> meena I setting it up via the cloud.init sshd module:
[19:01] <Mazorius> disable_root: true
[19:02] <Mazorius> ssh_deletekeys: true
[19:02] <Mazorius> ssh_genkeytypes: []
[19:02] <Mazorius> ssh_keys:
[19:02] <Mazorius>   ed25519_private: |
[19:02] <Mazorius>     ${indent(4, host_key.private_key_openssh)}
[19:02] <Mazorius>   ed25519_public: ${host_key.public_key_openssh}
[19:02] <Mazorius> it is a Terraform template
[19:04] <meena> private key.
[19:04] <meena> private key, 0644. sounds very wrong
[19:06] <waldi> Mazorius: please be more specific. what are you seeing and why do you think it is not correct?
[19:09] <minimal> Mazorius: why are you creating a host key in Terraform? cloud-init can create that itself. Normally a host private key should be created on-device and never leave the device
[19:10] <Mazorius> minimal for a git remote installation you need to provide a fixed host key and can not simply use always a new generated. So that is not possible in this case.
[19:11] <Mazorius> waldi the git server is not able to read the Host-key as it is only readable by root (0600) when I change it to (0644) which is ne normal case everything works as expected.
[19:12] <waldi> Mazorius: the host key is supposed to be not readable
[19:12] <Mazorius> meena for a private key you are completely right. Sorry. It is only about the public key
[19:12] <waldi> sorry, but this is a xy-problem, not a cloud-init problem
[19:13] <minimal> generally speaking a host's SSH private key should only be readable by the SSH server
[19:13] <Mazorius> of course but not the public key and this is also 0600 instead of 0644 which would be correct.
[19:13] <Mazorius> Sorry for the mistake with the private key.;)
[19:17] <waldi> well, it is because the cloud-init is told to do that:
[19:17] <waldi>             f"{k}_private": (KEY_FILE_TPL % k, 0o600),
[19:17] <waldi>             f"{k}_public": (f"{KEY_FILE_TPL % k}.pub", 0o600),
[19:17] <waldi> nothing wrong with that, nothing apart sshd needs to read even the public key
[19:19] <minimal> Mazorius: what software on your host needs access to the host public key?
[19:26] <Mazorius> minimal GitLab
[19:26] <Mazorius> so it is intended and is not possible to be changed in anyway? waldi
[19:29] <minimal> as a workaround you could use a "runcmd:" entry to change the permissions
[19:31] <Mazorius> I did that but want to be sure if this is the only solution. Thanks all of you.
[19:31] <minimal> not being familiar with Gitlab installation I still do not see why a specific priv/pub host key set have to be provided rather than using an autogenerated set
[19:33] <minimal> Mazorius: well it may well make sense to change cc_ssh.py to use 644 rather than 600 for the *public* host key, the way to (potentially) change that would be for someone to submit a PR
[19:35] <minimal> actually looking on a cloud-init configured VM here I see the public host key *IS* -rw-r--r--
[19:38] <waldi> minimal: you did not supply the key, but let cloud-init generate it?
[19:38] <minimal> yes that's cloud-init generated
[19:38] <waldi> that's the difference
[19:39] <minimal> ok, I still understand why Mazorius cannot use a c-i generated key during his gitlab installation - no info has been provided as to why that won't work
[19:42] <minimal> waldi: ah, here's where it is set for autogenerated public key: https://github.com/canonical/cloud-init/blob/9c7502a801763520639c66125eb373123d1e4f44/cloudinit/config/cc_ssh.py#L282
[19:44] <meena> Mazorius: what group does Gitlab run under? you can change the group, and give the group read access to the key: 0640
[19:45] <waldi> meena: no, he can't, as cloud-init sets the permission to 0600
[19:46] <minimal> but if he uses the autogenerated public key then every user on the system has read access to it......
[19:49] <meena> or use install / chmod + chgrp in runcmd
[20:03] <Mazorius> meena it runs by default under the gitlab_rails group which is generated by the package installation
[20:05] <meena> Mazorius: which runs well after cloud-init? does it have a fixed GID?
[20:07] <Mazorius> interesting is that cloud-init seems to generate a pub key if provided with 0600: https://github.com/canonical/cloud-init/blob/9c7502a801763520639c66125eb373123d1e4f44/cloudinit/config/cc_ssh.py#L190
[20:07] <Mazorius> but if not provided and simply generate it by itself with 0644: https://github.com/canonical/cloud-init/blob/9c7502a801763520639c66125eb373123d1e4f44/cloudinit/config/cc_ssh.py#L282
[20:07] <Mazorius> And the private key with 0600 if provided and if not 0640 … so it somehow inconsistent in cloud-init or I am wrong?
[20:08] <Mazorius> Do not know that inside of the omnibus installation meena
[20:08] <minimal> we already discussed this difference in permissions
[20:11] <Mazorius> were was this discussed? As all tools I know use 0600 for private and 0644 for public:
[20:11] <Mazorius> e.g.: https://www.tenable.com/audits/items/CIS_Google_Container_Optimized_OS_v1.0.0_L1_Server.audit:7f016cd406100a1ee2ad94834111f005
[20:11] <Mazorius> https://www.tenable.com/audits/items/CIS_Google_Container_Optimized_OS_v1.0.0_L1_Server.audit:6225b8224fbd4f360ebdc72c56f3eae9
[20:12] <minimal> Mazorius: 30 minutes ago here when I said:
[20:12] <minimal> > "waldi: ah, here's where it is set for autogenerated public key: https://github.com/canonical/cloud-init/blob/9c7502a801763520639c66125eb373123d1e4f44/cloudinit/config/cc_ssh.py#L282"
[20:13] <Mazorius> ah you mean this:)  If it is only changing this line I can of course create a PR for that.
[20:14] <minimal> and also 40 mins ago when I said:
[20:14] <minimal> "Mazorius: well it may well make sense to change cc_ssh.py to use 644 rather than 600 for the *public* host key, the way to (potentially) change that would be for someone to submit a PR"
[20:34] <Mazorius> minimal the PR: https://github.com/canonical/cloud-init/pull/1971
[20:34] -ubottu:#cloud-init- Pull 1971 in canonical/cloud-init "Fix permission of SSH host keys" [Open]