doas and ssh_import_id problems
Hi folks,
I'm testing https://dl-cdn.alpinelinux.org/alpine/v3.19/releases/cloud/nocloud_alpine-3.19.0-x86_64-bios-cloudinit-r0.qcow2 in my Proxmox server (ie: KVM virtualization). My goal (like I simply do with Ubuntu 22.04 cloud images) is to use SSH keys exclusively to log into my custom user (ie: 'hector' and not the default 'alpine' one).
To do so I leverage cloud init's ssh_import_id
, however I'm facing issues under the linked Alpine cloudinit image. Reading up in the cloudinit documentation, I see that one must install ssh-import-id
apk package for the cloud init ssh_import_id
module to actually run. After installing the package, the cloudinit module indeed runs, but then I get a doas: Operation not permitted
error and it fails to install my public keys from Github:
I tried to see what could be going on in the cloud-init logs (had to actually enable password login to be able to read the logs since the machine failed to import my ssh publick keys), but I could not find the cause for the doas operation not permitted.
Interestingly enough, if I log into the failed cloudinit vm with user/pass for debugging and manually run "doas -u hector ssh-import-id gh:donhector" then the command is successful.
For completeness here's what cloudinit rendered in terms of doas config:
And here's my user-data:
#cloud-config
### Locale
timezone: Europe/Madrid
locale: en_US.UTF-8
### Hostname stuff
hostname: alpine-vm
manage_etc_hosts: true
### SSH daemon hardening
ssh_pwauth: false
disable_root: true
bootcmd:
- apk add ssh-import-id
### User configuration
users:
- name: hector
doas:
- permit nopass hector
sudo: "ALL=(ALL) NOPASSWD:ALL"
lock_passwd: true
groups: [wheel, adm, docker]
ssh_import_id:
- gh:donhector
# Package management
package_upgrade: true
package_reboot_if_required: true
packages:
- qemu-guest-agent
- docker
- docker-cli-compose
- curl
- wget
# Ensuring services start on boot
runcmd:
- rc-update add qemu-guest-agent default
- rc-update add docker default
### Reboot
power_state:
mode: reboot
delay: now
message: "Finished cloud init. Rebooting."
Is there anything obvious in my configuration that will cause doas
not work well with ssh_import_id
?
I had also tried - permit nopass hector as root
but same error occurred.
For comparison, the following user-data works perfect on my ubuntu22.04 cloud image (https://cloud-images.ubuntu.com/jammy/current/jammy-server-cloudimg-amd64.img)
#cloud-config
### Locale
timezone: Europe/Madrid
locale: en_US.UTF-8
### Hostname stuff
hostname: ubuntu-vm
manage_etc_hosts: true
### SSH daemon hardening
ssh_pwauth: false
disable_root: true
### User configuration
users:
- name: hector
sudo: "ALL=(ALL) NOPASSWD:ALL"
lock_passwd: true
shell: /bin/bash
groups: [adm, sudo, docker]
ssh_import_id:
- gh:donhector
### Package management
package_upgrade: true
package_reboot_if_required: true
packages:
- qemu-guest-agent
runcmd:
- systemctl enable qemu-guest-agent
- curl -sSL 'https://get.docker.com' | sh
### Reboot
power_state:
mode: reboot
delay: now
message: "Finished cloud init. Rebooting."
An interesting note is that if I apk add ssh-import-id sudo
in bootcmd:
then cloudinit ssh_import_id uses sudo
instead of doas
to run the ssh-import-id
command and the keys are imported successfully.