SSH host keys not deleted?

[devwout]

After creating an instance with the scylla ami-f588ee8f , the contents of /etc/ssh includes the following:

-rw-r-----   1 root ssh_keys    227 Sep 28  2016 ssh_host_ecdsa_key
-rw-r--r--   1 root root        162 Sep 28  2016 ssh_host_ecdsa_key.pub
-rw-r-----   1 root ssh_keys    387 Sep 28  2016 ssh_host_ed25519_key
-rw-r--r--   1 root root         82 Sep 28  2016 ssh_host_ed25519_key.pub
-rw-r-----   1 root ssh_keys   1679 Sep 28  2016 ssh_host_rsa_key
-rw-r--r--   1 root root        382 Sep 28  2016 ssh_host_rsa_key.pub

These files are the same on all instances, which is not secure. The scylla_install_ami script should probably delete these?

[tzach]

@syuu1228 can you please take a look

[syuu1228]

@devwout @tzach cloud-init should initialize it by default, if it doesn't initialized, then cloud-init setting is incorrect or something.. will take a look

[devwout]

In /etc/cloud/cloud.cfg, it seems explicitly disabled with ssh_deletekeys: 0.

[devwout]

I don't see which CentOS cloud image serves as a basis for this AMI, but it seems the ssh_deletekeys: 0 setting originates there. Unless I'm missing something, this is problematic.

As a workaround, this line could be removed in the scylla_install_ami script, which already rewrites cloud.cfg anyway, removing the mounts module. It may as well remove lines matching ssh_deletekeys: and fall back to the (safe) cloudinit default.

It may be worth basing the AMI on a saner base image or report this upstream. Maybe they had a reason to do this?

[tzach]

Closing, a patch was merged long ago.