1

to all the Cloud-init experts:

Recently, I've been trying to play around with cloud-init's capabilities for user account creation and management.

I wanted to forbid root ssh login and to create another sudo user that needs no password for sudo.

I do get the desired result, but I do not know how is it implemented.

Sample config.cfg:

users:
   - name: root
#     lock_passwd: false
   - default
   - name: user_name
     gecos: Non-root User
     primary_group: nr_user
     groups: nr_user,sudo,wheel
     lock_passwd: false
     passwd: $6$rounds=4096$e0Ju.HuWxqWs....JeEzX/XGGave2jhi1
     sudo: ["ALL=(ALL) NOPASSWD:ALL"]

disable_root: true
disable_root_opts: no-port-forwarding,no-agent-forwarding,no-X11-forwarding

I should typically restrict root ssh login through /etc/ssh/sshd_config, changing: PermitRootLogin yes to PermitRootLogin no. I would typically add a line, like this: user_name ALL=(ALL) NOPASSWD:ALL to /etc/sudoers, if I want to have a sudoer that needs not to enter password every time.

But I see no changes like this.

On top of that the very custom message that root ssh is disabled and anther user should be used, makes me wonder how is it achieved? Does cloud-init spin a module that is monitoring for the usage of users and applying the settings on the fly?

gai-jin
  • 653
  • 2
  • 10
  • 24

1 Answers1

1

SSH Custom Message

The SSH custom message is written to /root/.ssh/authorized_keys. On an ubuntu system it should contain something like

no-port-forwarding,no-agent-forwarding,no-X11-forwarding,command="echo 'Please login as the user \"ubuntu\" rather than the user \"root\".';echo;sleep 10;exit 142"

followed by the default user's authorized key.

This is accomplished via the SSH module. See the documentation and source here and here

Sudo

cloud-init automatically creates a sudo: ["ALL=(ALL) NOPASSWD:ALL"] for the default user. Any user sudo definition gets written to /etc/sudoers.d/90-cloud-init-users. For your cloud-config, it should look something like

# Created by cloud-init v. 21.4 on Mon, 13 Dec 2021 14:37:19 +0000

# User rules for user_name
user_name ALL=(ALL) NOPASSWD:ALL

# User rules for ubuntu
ubuntu ALL=(ALL) NOPASSWD:ALL

You can see the (templated) definition for the default user here

falcojr
  • 1,299
  • 1
  • 10
  • 18
  • thanks a lot! I am not big on python, can you confirm - this `cc_set_passwords` module messes with `ssh` keys and this is how the root ssh login is disabled. – gai-jin Dec 13 '21 at 15:17
  • 1
    It's the `cc_ssh` module, and it is with the line that I pasted. The `command="echo...; exit 142` part runs that command when you try to connect and kicks you out. The `cc_set_passwords` and the ssh keys or their locations aren't relevant. – falcojr Dec 13 '21 at 15:33