Search code examples
user-accountscloud-inituser-account-control

How does Cloud-init impose user settings, defined through cloud init?

to all the Cloud-init experts:

Recently, I've been trying to play around with cloud-init's capabilities for user account creation and management.

I wanted to forbid root ssh login and to create another sudo user that needs no password for sudo.

I do get the desired result, but I do not know how is it implemented.

Sample config.cfg:

users:
   - name: root
#     lock_passwd: false
   - default
   - name: user_name
     gecos: Non-root User
     primary_group: nr_user
     groups: nr_user,sudo,wheel
     lock_passwd: false
     passwd: $6$rounds=4096$e0Ju.HuWxqWs....JeEzX/XGGave2jhi1
     sudo: ["ALL=(ALL) NOPASSWD:ALL"]

disable_root: true
disable_root_opts: no-port-forwarding,no-agent-forwarding,no-X11-forwarding

I should typically restrict root ssh login through /etc/ssh/sshd_config, changing: PermitRootLogin yes to PermitRootLogin no. I would typically add a line, like this: user_name ALL=(ALL) NOPASSWD:ALL to /etc/sudoers, if I want to have a sudoer that needs not to enter password every time.

But I see no changes like this.

On top of that the very custom message that root ssh is disabled and anther user should be used, makes me wonder how is it achieved? Does cloud-init spin a module that is monitoring for the usage of users and applying the settings on the fly?

Solution

  • SSH Custom Message

    The SSH custom message is written to /root/.ssh/authorized_keys. On an ubuntu system it should contain something like

    no-port-forwarding,no-agent-forwarding,no-X11-forwarding,command="echo 'Please login as the user \"ubuntu\" rather than the user \"root\".';echo;sleep 10;exit 142"

    followed by the default user's authorized key.

    This is accomplished via the SSH module. See the documentation and source here and here

    Sudo

    cloud-init automatically creates a sudo: ["ALL=(ALL) NOPASSWD:ALL"] for the default user. Any user sudo definition gets written to /etc/sudoers.d/90-cloud-init-users. For your cloud-config, it should look something like

    # Created by cloud-init v. 21.4 on Mon, 13 Dec 2021 14:37:19 +0000

# User rules for user_name
user_name ALL=(ALL) NOPASSWD:ALL

# User rules for ubuntu
ubuntu ALL=(ALL) NOPASSWD:ALL

    You can see the (templated) definition for the default user here