unknown number of alpine installations vulnerable by admin accepted injected keys
Out-of-hand situation
The root problem seems to originate from the fact that alpine is a popular server OS yet has no proper support for headless installs. As a result of this, there are many "headless server setup guides" floating around, and things seem to converge to a github repository which has become popular and is even referenced from the alpine wiki.
https://github.com/macmpi/alpine-linux-headless-bootstrap
Sure, seen strictly, the problematic key injection isn't part of any official alpine package. However, if the problem surfaces it'll easily become attributed to alpine, anyway. It may thus make sense to "fix" the problem by releasing a proper "headless install" option with the official installation images. (It might even be based on including the good parts from said repository, so possibly even allowing to continue using existing headless-pre-configuration files with newer official installation images, if those features are really safe and making sense.)
Problem details
The referenced repository distributes a small headless.apkovl.tar.gz
. It provides some additional convenience functionality, and upon booting sets up a temporary ssh server for root login without password, howerver, configured with static pre-shared "not-really-secret"+public key pair.
In the process the (administrator) users typically accept these "not-really-secret"+public key pair for their own server in the ssh client on their local computer, in their intend to install alpine. Usually without even knowing that these keys came with the package and are not at all specific to just their own server.
Even if a proper installation of ssh follows, and it generates some new keys, the "not-really-secret"+public keys were already accepted on the computer from which the install was conducted. So the connection from the admin to the server is now trivial to compromise using a man-in-the-middle attack and presenting the accepted "not-really-secret"+public key pair.