flatcar / Flatcar

Flatcar project repository for issue tracking, project documentation, etc.
https://www.flatcar.org/
Apache License 2.0
747 stars 32 forks source link

update-ssh-keys not working to add a secondary or tertiary entry in authorized_keys for user #1554

Open bignay2000 opened 1 month ago

bignay2000 commented 1 month ago

Description

Flatcar overwrites the authorized_keys file on reboot, so ’update-ssh-keys’ is required to update the exisiting authorized_keys file.

update-ssh-keys program runs forever without any output to console when running the command:

update-ssh-keys -u joeadmin -a 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBZ7E5LpKNYXpfrG39mK+Qwoks+fGmidJBcPdfaZvMFZ joe.smoe@smoe.com'

Impact

Unable to add additional ssh keys to a user account’s authorized_keys file that is persistent after the VM is provisioned. Without SSH keys for this admin account, would have to share a password.

Environment and steps to reproduce

  1. New Flatcar Stable (Flatcar Container Linux by Kinvolk 3975.2.1 (Oklo))
  2. Azure VM Image: kinvolk:flatcar-container-linux:stable-gen2:latest
  3. ignition file containing a user with a ssh key
  4. Log into the Flatcar VM.
  5. sudo -i
  6. update-ssh-keys -u joeadmin -a 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBZ7E5LpKNYXpfrG39mK+Qwoks+fGmidJBcPdfaZvMFZ joe.smoe@smoe.com’

Expected behavior

update-ssh-keys should not run forever. Return an error and implement a timeout.

Additional Information

Really be great to add a few examples in the help file - update-ssh-keys -h

bignay2000 commented 1 month ago

ignition.flatcar.bu.yaml.txt

chewi commented 1 month ago

You're not quite using it right. You're supposed to give an identifier with the -a argument, which it uses to write the key under ~/.ssh/authorized_keys.d/<NAME>. You can delete the key using this identifier later. The key itself can either be given as a subsequent file path or via stdin like this:

echo 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBZ7E5LpKNYXpfrG39mK+Qwoks+fGmidJBcPdfaZvMFZ joe.smoe@smoe.com' > mykey
update-ssh-keys -u joeadmin -a joe.smoe ./mykey

update-ssh-keys -u joeadmin -a joe.smoe <<< 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBZ7E5LpKNYXpfrG39mK+Qwoks+fGmidJBcPdfaZvMFZ joe.smoe@smoe.com'

I must admit that being unfamiliar with the tool myself, I also found this extremely confusing. I think the approach is fine, but it does need to be documented better.