diff --git a/SOURCES/ci-DataSourceAzure-update-password-for-defuser-if-exist.patch b/SOURCES/ci-DataSourceAzure-update-password-for-defuser-if-exist.patch new file mode 100644 index 0000000..7a9f478 --- /dev/null +++ b/SOURCES/ci-DataSourceAzure-update-password-for-defuser-if-exist.patch @@ -0,0 +1,60 @@ +From bcbd6be99d8317793aff905c4222c351a1bf5c46 Mon Sep 17 00:00:00 2001 +From: Eduardo Otubo +Date: Thu, 21 Jan 2021 10:08:49 +0100 +Subject: [PATCH 1/2] DataSourceAzure: update password for defuser if exists + (#671) + +RH-Author: Eduardo Terrell Ferrari Otubo (eterrell) +RH-MergeRequest: 37: DataSourceAzure: update password for defuser if exists (#671) +RH-Commit: [1/1] 264092a68a3771cc4ed99dad5b93f7a1433e143a (eterrell/cloud-init) +RH-Bugzilla: 1900892 + +commit eea754492f074e00b601cf77aa278e3623857c5a +Author: Anh Vo +Date: Thu Nov 19 00:35:46 2020 -0500 + + DataSourceAzure: update password for defuser if exists (#671) + + cc_set_password will only update the password for the default user if + cfg['password'] is set. The existing code of datasource Azure will fail + to update the default user's password because it does not set that + metadata. If the default user doesn't exist in the image, the current + code works fine because the password is set during user create and + not in cc_set_password + +Signed-off-by: Eduardo Otubo +--- + cloudinit/sources/DataSourceAzure.py | 2 +- + tests/unittests/test_datasource/test_azure.py | 3 +++ + 2 files changed, 4 insertions(+), 1 deletion(-) + +diff --git a/cloudinit/sources/DataSourceAzure.py b/cloudinit/sources/DataSourceAzure.py +index 1c214db9..d4a2d60f 100755 +--- a/cloudinit/sources/DataSourceAzure.py ++++ b/cloudinit/sources/DataSourceAzure.py +@@ -1231,7 +1231,7 @@ def read_azure_ovf(contents): + if password: + defuser['lock_passwd'] = False + if DEF_PASSWD_REDACTION != password: +- defuser['passwd'] = encrypt_pass(password) ++ defuser['passwd'] = cfg['password'] = encrypt_pass(password) + + if defuser: + cfg['system_info'] = {'default_user': defuser} +diff --git a/tests/unittests/test_datasource/test_azure.py b/tests/unittests/test_datasource/test_azure.py +index 47e03bd1..2059990a 100644 +--- a/tests/unittests/test_datasource/test_azure.py ++++ b/tests/unittests/test_datasource/test_azure.py +@@ -919,6 +919,9 @@ scbus-1 on xpt0 bus 0 + crypt.crypt(odata['UserPassword'], + defuser['passwd'][0:pos])) + ++ # the same hashed value should also be present in cfg['password'] ++ self.assertEqual(defuser['passwd'], dsrc.cfg['password']) ++ + def test_user_not_locked_if_password_redacted(self): + odata = {'HostName': "myhost", 'UserName': "myuser", + 'UserPassword': dsaz.DEF_PASSWD_REDACTION} +-- +2.18.4 + diff --git a/SOURCES/ci-Revert-ssh_util-handle-non-default-AuthorizedKeysFil.patch b/SOURCES/ci-Revert-ssh_util-handle-non-default-AuthorizedKeysFil.patch new file mode 100644 index 0000000..a7f4117 --- /dev/null +++ b/SOURCES/ci-Revert-ssh_util-handle-non-default-AuthorizedKeysFil.patch @@ -0,0 +1,80 @@ +From 4dde2a9bed58aba13c730bf4a7314b21038d7a31 Mon Sep 17 00:00:00 2001 +From: Eduardo Otubo +Date: Mon, 25 Jan 2021 16:24:29 +0100 +Subject: [PATCH 2/2] Revert "ssh_util: handle non-default AuthorizedKeysFile + config (#586)" (#775) + +RH-Author: Eduardo Terrell Ferrari Otubo (eterrell) +RH-MergeRequest: 38: Revert "ssh_util: handle non-default AuthorizedKeysFile config (#586)" (#775) +RH-Commit: [1/1] aec2860c773ad1921f3949dc622543e81860c5bf (eterrell/cloud-init) +RH-Bugzilla: 1919972 + +commit cdc5b81f33aee0ed3ef1ae239e5cec1906d0178a +Author: Daniel Watkins +Date: Tue Jan 19 12:23:23 2021 -0500 + + Revert "ssh_util: handle non-default AuthorizedKeysFile config (#586)" (#775) + + This reverts commit b0e73814db4027dba0b7dc0282e295b7f653325c. + +Signed-off-by: Eduardo Otubo +--- + cloudinit/ssh_util.py | 6 +++--- + tests/unittests/test_sshutil.py | 6 +++--- + 2 files changed, 6 insertions(+), 6 deletions(-) + +diff --git a/cloudinit/ssh_util.py b/cloudinit/ssh_util.py +index d5113996..c08042d6 100644 +--- a/cloudinit/ssh_util.py ++++ b/cloudinit/ssh_util.py +@@ -262,13 +262,13 @@ def extract_authorized_keys(username, sshd_cfg_file=DEF_SSHD_CFG): + + except (IOError, OSError): + # Give up and use a default key filename +- auth_key_fns.append(default_authorizedkeys_file) ++ auth_key_fns[0] = default_authorizedkeys_file + util.logexc(LOG, "Failed extracting 'AuthorizedKeysFile' in SSH " + "config from %r, using 'AuthorizedKeysFile' file " + "%r instead", DEF_SSHD_CFG, auth_key_fns[0]) + +- # always store all the keys in the first file configured on sshd_config +- return (auth_key_fns[0], parse_authorized_keys(auth_key_fns)) ++ # always store all the keys in the user's private file ++ return (default_authorizedkeys_file, parse_authorized_keys(auth_key_fns)) + + + def setup_user_keys(keys, username, options=None): +diff --git a/tests/unittests/test_sshutil.py b/tests/unittests/test_sshutil.py +index 88a111e3..fd1d1bac 100644 +--- a/tests/unittests/test_sshutil.py ++++ b/tests/unittests/test_sshutil.py +@@ -593,7 +593,7 @@ class TestMultipleSshAuthorizedKeysFile(test_helpers.CiTestCase): + fpw.pw_name, sshd_config) + content = ssh_util.update_authorized_keys(auth_key_entries, []) + +- self.assertEqual(authorized_keys, auth_key_fn) ++ self.assertEqual("%s/.ssh/authorized_keys" % fpw.pw_dir, auth_key_fn) + self.assertTrue(VALID_CONTENT['rsa'] in content) + self.assertTrue(VALID_CONTENT['dsa'] in content) + +@@ -610,7 +610,7 @@ class TestMultipleSshAuthorizedKeysFile(test_helpers.CiTestCase): + sshd_config = self.tmp_path('sshd_config') + util.write_file( + sshd_config, +- "AuthorizedKeysFile %s %s" % (user_keys, authorized_keys) ++ "AuthorizedKeysFile %s %s" % (authorized_keys, user_keys) + ) + + (auth_key_fn, auth_key_entries) = ssh_util.extract_authorized_keys( +@@ -618,7 +618,7 @@ class TestMultipleSshAuthorizedKeysFile(test_helpers.CiTestCase): + ) + content = ssh_util.update_authorized_keys(auth_key_entries, []) + +- self.assertEqual(user_keys, auth_key_fn) ++ self.assertEqual("%s/.ssh/authorized_keys" % fpw.pw_dir, auth_key_fn) + self.assertTrue(VALID_CONTENT['rsa'] in content) + self.assertTrue(VALID_CONTENT['dsa'] in content) + +-- +2.18.4 + diff --git a/SPECS/cloud-init.spec b/SPECS/cloud-init.spec index d41b445..c476bcc 100644 --- a/SPECS/cloud-init.spec +++ b/SPECS/cloud-init.spec @@ -6,7 +6,7 @@ Name: cloud-init Version: 20.3 -Release: 8%{?dist} +Release: 9%{?dist} Summary: Cloud instance init scripts Group: System Environment/Base @@ -34,6 +34,10 @@ Patch12: ci-Fix-unit-failure-of-cloud-final.service-if-NetworkMa.patch Patch13: ci-ssh_util-handle-non-default-AuthorizedKeysFile-confi.patch # For bz#1859695 - [Cloud-init] DHCPv6 assigned address is not added to VM's interface Patch14: ci-Missing-IPV6_AUTOCONF-no-to-render-sysconfig-dhcp6-s.patch +# For bz#1900892 - [Azure] Update existing user password RHEL8x +Patch15: ci-DataSourceAzure-update-password-for-defuser-if-exist.patch +# For bz#1919972 - [RHEL-8.4] ssh keys can be shared across users giving potential root access +Patch16: ci-Revert-ssh_util-handle-non-default-AuthorizedKeysFil.patch BuildArch: noarch @@ -225,6 +229,14 @@ fi %config(noreplace) %{_sysconfdir}/rsyslog.d/21-cloudinit.conf %changelog +* Tue Jan 26 2021 Miroslav Rezanina - 20.3-9.el8 +- ci-DataSourceAzure-update-password-for-defuser-if-exist.patch [bz#1900892] +- ci-Revert-ssh_util-handle-non-default-AuthorizedKeysFil.patch [bz#1919972] +- Resolves: bz#1900892 + ([Azure] Update existing user password RHEL8x) +- Resolves: bz#1919972 + ([RHEL-8.4] ssh keys can be shared across users giving potential root access) + * Thu Jan 21 2021 Miroslav Rezanina - 20.3-8.el8 - ci-Missing-IPV6_AUTOCONF-no-to-render-sysconfig-dhcp6-s.patch [bz#1859695] - Resolves: bz#1859695