Authorized keys are being appended endlessly
Closed this issue · 5 comments
/etc/my_init.d/50_copy_key.sh
says:
#!/bin/sh
cat /root/.ssh/authorized_keys >> /data/web/.ssh/authorized_keys
Now there are two problems with that:
- It gets appended endlessly; on every boot another copy of root's authorized keys gets appended to the
app
user's authorized keys. Not a big deal, but not desirable. - The real problem is that root's
authorized_keys
does not end in a newline, so the last line of app'sauthorized_keys
gets longer and longer until it reaches a point (I think it's about 16k) where ssh does not accept it anymore. I reached that point last week and I could not log in using the provided private key anymore.
There are two easy solutions (and there are dozens of better solutions of course):
- Just copy and don't append in
50_copy_key.sh
. If users want to add their own keys or want to replace the entire file, they have to change/root/.ssh/authorized_keys
and not both files, like stated here. - Add a newline to root's
authorized_keys
. The script still adds the key to app's authorized keys on every boot, but all keys are on their own line so it's no problem.
I forgot another easy solution:
3. Don't do any key copying and just provision the app
user's authorized_keys
in the Dockerfile.
Hi @markvds, we'll change it to something like cat .ssh/authorized_keys | awk '!NF || !seen[$0]++' /data/web/.ssh/authorized_keys - > /data/web/.ssh/authorized_keys
, that should fix it
that would also fix the newline issue btw:
sh-4.4$ cat nonewline
blablake^C
sh-4.4$ cat nonewline
blablakey sh-4.4$
sh-4.4$ cat nonewline | awk '!NF || !seen[$0]++' newauthkeys - > newauthkeys
sh-4.4$ cat newauthkeys
blablakey
sh-4.4$ cat nonewline | awk '!NF || !seen[$0]++' newauthkeys - > newauthkeys
sh-4.4$ cat newauthkeys
blablakey
I was talking about easy solutions :) My awk
skills are pretty bad but this seems to do just well!
But why would you append root's keys to app's keys? I can understand it in a live environment where you'd want to separate permissions. But in this non persistent Hypernode Docker environment, I don't see any benefit. I would just don't do anything and let the maintainer of the Dockerfile provision both.
But hey, your script doesn't hurt either, so don't waste any more precious time :)
The new image has just been pushed:
app@5bcb85299018:~$ cat /etc/my_init.d/50_copy_key.sh
#!/bin/sh
cat /root/.ssh/authorized_keys | awk '!NF || !seen[$0]++' /data/web/.ssh/authorized_keys - > /data/web/.ssh/authorized_keys
so if you pull everything should be alright:
$ docker pull docker.hypernode.com/byteinternet/hypernode-docker:latest
I would just don't do anything and let the maintainer of the Dockerfile provision both
I think the idea here was that /data/web/
is a Hypernode specific thing and a user of this image might not know that's the place to be (because also non-Hypernode customers use this image), so out of the box just copying the contents would make things 'just work'.