VMAccess: Add Azure Linux / Mariner support to sshd_config reset#2174
Open
jonathanbrenes wants to merge 1 commit into
Open
VMAccess: Add Azure Linux / Mariner support to sshd_config reset#2174jonathanbrenes wants to merge 1 commit into
jonathanbrenes wants to merge 1 commit into
Conversation
…g_filename As preparation for the release of Azure Linux 4.0, this patch adds support for Azure Linux and CBL-Mariner to the VMAccess extension's sshd_config reset functionality. When 'az vm user reset-ssh' is triggered on Azure Linux (or CBL-Mariner), _get_default_ssh_config_filename() falls through to the generic 'default' resource file because NAME="Azure Linux" does not match any of the existing distro regexes (centos, debian, fedora, red hat, suse, ubuntu). The 'default' resource file is a Debian/Ubuntu-era sshd_config that causes the following problems on Azure Linux: - SFTP broken: wrong Subsystem path (/usr/lib/openssh/sftp-server instead of /usr/libexec/openssh/sftp-server) - Multiple deprecated directive warnings from sshd -t - Unable to load host key: /etc/ssh/ssh_host_dsa_key (DSA removed) - Include /etc/ssh/sshd_config.d/*.conf directive dropped, causing all sshd_config.d snippets (cloud-init, Azure) to be silently lost - PasswordAuthentication explicitly set to yes - PermitRootLogin uses old 'without-password' syntax Changes: 1. Add 'azure\s?linux|mariner' regex to _get_default_ssh_config_filename() returning 'azurelinux_default'. This matches: - Azure Linux: NAME="Azure Linux" - CBL-Mariner: NAME="Common Base Linux Mariner" 2. Add resources/azurelinux_default: stock Azure Linux sshd_config. Clean config with no deprecated directives, correct SFTP path, and Include directive preserved. Tested on an Azure Linux VM: - sshd -t: 0 errors (vs 6 with 'default') - SFTP Subsystem: /usr/libexec/openssh/sftp-server (correct) - Include /etc/ssh/sshd_config.d/*.conf: preserved - sshd restart: clean
jonathanbrenes
requested review from
a team,
D1v38om83r and
nkuchta
as code owners
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
As preparation for the release of Azure Linux 4.0, this patch adds support for Azure Linux and CBL-Mariner to the VMAccess extension's sshd_config reset functionality.
When
az vm user reset-sshis triggered on Azure Linux (or CBL-Mariner),_get_default_ssh_config_filename()falls through to the genericdefaultresource file becauseNAME="Azure Linux"does not match any of the existing distro regexes (centos, debian, fedora, red hat, suse, ubuntu).The
defaultresource file is a Debian/Ubuntu-era sshd_config that causes the following problems on Azure Linux:/usr/lib/openssh/sftp-serverinstead of/usr/libexec/openssh/sftp-server)/etc/ssh/ssh_host_dsa_key(DSA removed)Include /etc/ssh/sshd_config.d/*.confremoved, causing all drop-in config snippets (cloud-init, Azure) to be silently lostwithout-passwordsyntaxFix
Added
azure\s?linux|marinerregex to_get_default_ssh_config_filename()returningazurelinux_default. This matches:NAME="Azure Linux"NAME="Common Base Linux Mariner"Added
VMAccess/resources/azurelinux_default: stock Azure Linux sshd_config with no deprecated directives, correct SFTP path, and Include directive preserved.Testing
Tested on an Azure Linux VM:
/usr/lib/openssh/sftp-server(wrong)/usr/libexec/openssh/sftp-server(correct)Files Changed
VMAccess/vmaccess.py— added Azure Linux / Mariner match in_get_default_ssh_config_filename()VMAccess/resources/azurelinux_default— new sshd_config template for Azure Linux