search

ByteInternet / hypernode-docker

Fast and easy Docker for Magento development
https://community.hypernode.io/hypernode-docker
35 stars 8 forks source link

Authorized keys are being appended endlessly #23

Closed markvds closed 4 years ago

markvds commented 5 years ago

/etc/my_init.d/50_copy_key.sh says:

#!/bin/sh
cat /root/.ssh/authorized_keys >> /data/web/.ssh/authorized_keys

Now there are two problems with that:

  1. It gets appended endlessly; on every boot another copy of root's authorized keys gets appended to the app user's authorized keys. Not a big deal, but not desirable.
  2. The real problem is that root's authorized_keys does not end in a newline, so the last line of app's authorized_keys gets longer and longer until it reaches a point (I think it's about 16k) where ssh does not accept it anymore. I reached that point last week and I could not log in using the provided private key anymore.

There are two easy solutions (and there are dozens of better solutions of course):

  1. Just copy and don't append in 50_copy_key.sh. If users want to add their own keys or want to replace the entire file, they have to change /root/.ssh/authorized_keys and not both files, like stated here.
  2. Add a newline to root's authorized_keys. The script still adds the key to app's authorized keys on every boot, but all keys are on their own line so it's no problem.
markvds commented 5 years ago

I forgot another easy solution:

  1. Don't do any key copying and just provision the app user's authorized_keys in the Dockerfile.
vdloo commented 5 years ago

Hi @markvds, we'll change it to something like cat .ssh/authorized_keys | awk '!NF || !seen[$0]++' /data/web/.ssh/authorized_keys - > /data/web/.ssh/authorized_keys, that should fix it

vdloo commented 5 years ago

that would also fix the newline issue btw:

sh-4.4$ cat nonewline 
blablake^C
sh-4.4$ cat nonewline 
blablakey sh-4.4$ 
sh-4.4$ cat nonewline | awk '!NF || !seen[$0]++' newauthkeys - > newauthkeys
sh-4.4$ cat newauthkeys 
blablakey 
sh-4.4$ cat nonewline | awk '!NF || !seen[$0]++' newauthkeys - > newauthkeys
sh-4.4$ cat newauthkeys 
blablakey
markvds commented 5 years ago

I was talking about easy solutions :) My awk skills are pretty bad but this seems to do just well!

But why would you append root's keys to app's keys? I can understand it in a live environment where you'd want to separate permissions. But in this non persistent Hypernode Docker environment, I don't see any benefit. I would just don't do anything and let the maintainer of the Dockerfile provision both.

But hey, your script doesn't hurt either, so don't waste any more precious time :)

vdloo commented 5 years ago

The new image has just been pushed:

app@5bcb85299018:~$ cat /etc/my_init.d/50_copy_key.sh
#!/bin/sh
cat /root/.ssh/authorized_keys | awk '!NF || !seen[$0]++' /data/web/.ssh/authorized_keys - > /data/web/.ssh/authorized_keys

so if you pull everything should be alright:

$ docker pull docker.hypernode.com/byteinternet/hypernode-docker:latest

I would just don't do anything and let the maintainer of the Dockerfile provision both

I think the idea here was that /data/web/ is a Hypernode specific thing and a user of this image might not know that's the place to be (because also non-Hypernode customers use this image), so out of the box just copying the contents would make things 'just work'.