Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

New python3 google-accounts-daemon removes ssh key from ubuntu user

See original GitHub issue

Since using a base image with the new python3 version of the google-accounts-daemon I’m observing a behavioral change to the old one:

We’re building our own images on top of the official ubuntu xenial ones (currently ubuntu-1604-xenial-v20170303). During our images build we throw a public key into the ubuntu user’s authorized_keys file which should act as sort of a fallback and still give us access, should the google accounts daemon ever go wild and delete all our other users. All other login users are configured through project metadata.

Since the use of the new google-accounts-daemon the ubuntu user authorized_keys files gets deleted. I’m able to stably reconstruct the situation by building an image with the google-account-daemon disabled, logging in with the mentioned fallback key and starting it by hand:

root@test-base1604-node1:~# stat /home/ubuntu/.ssh/authorized_keys 
  File: '/home/ubuntu/.ssh/authorized_keys'
  Size: 8354      	Blocks: 24         IO Block: 4096   regular file
Device: 801h/2049d	Inode: 268920      Links: 1
Access: (0600/-rw-------)  Uid: ( 1000/  ubuntu)   Gid: ( 1000/  ubuntu)
Access: 2017-03-06 14:57:19.556000000 +0000
Modify: 2017-03-06 14:57:06.852000000 +0000
Change: 2017-03-06 14:57:06.852000000 +0000
 Birth: -

root@test-base1604-node1:~# systemctl start google-accounts-daemon.service 

root@test-base1604-node1:~# stat /home/ubuntu/.ssh/authorized_keys 
stat: cannot stat '/home/ubuntu/.ssh/authorized_keys': No such file or directory

There is no mentioning of the ubuntu user in the project or instance metadata. So in my opinion this user should therefore not be touched by the google accounts daemon at all.

I also found this in the logs:

Mar 06 14:59:44 test-base1604-node1 google_accounts_daemon[2233]: google-accounts: INFO Removing user ubuntu.

Although the ubuntu user still exists. Even starting the daemon in debug mode doesn’t give me more information on why it decided to touch the ubuntu user, or why deletion failed.

Issue Analytics

State:
Created 7 years ago
Comments:6 (3 by maintainers)

Top GitHub Comments

1reaction

illfeldercommented, Mar 6, 2017

/cc @OddBloke @gaughen

I’ve looked into the issue and I think the root cause is cloud-init rather than the accounts daemon. It appears that cloud-init will attempt to set up the ubuntu user with the ssh keys returned by get_public_ssh_keys in DataSourceGCE.py. At initialization, your project and instance metadata is empty, so the file doesn’t get populated at all (and appears like it’s getting removed).

If I’m reading the cloud-init code properly, there are multiple issues here:

Most importantly - the logic shouldn’t be needed; access is provided from the accounts daemon.
DataSourceGCE.py is looking for deprecated keys (sshKeys in instance metadata).
The function ignores expiration timestamps and is including keys that may be expired.
/home/ubuntu/.ssh/authorized_keys is never updated during the life of the instance.

We’ll reach out to Canonical to address the issue.

0reactions

illfeldercommented, Mar 30, 2017

The file /var/lib/google/google_users was added as part of the new guest environment to ensure that the account daemon only modifies the users it manages. That’s probably what you didn’t run into that issue in the past.

Thanks for the update - I’ll close this off.