Scalarizr agent is meddling with /etc/ssh/sshd_config

34 views
Skip to first unread message

Dmitri Toubelis

unread,
Aug 24, 2015, 4:24:50 PM8/24/15
to scalr-discuss
Hi,

I was battling a problem that only occurs with instances instantiated by Scalr and finally i figured it out. I noticed that Scalarizr agent add the following lines to `/etc/ssh/sshd_config file`:

...
PubkeyAuthentication yes
RSAAuthentication yes
AuthorizedKeysFile %h/.ssh/authorized_keys

The last line is what causes the problem. The default value for `AuthorizedKeysFile ` is “.ssh/authorized_keys .ssh/authorized_keys2” according to sshd documentation so the new value disables ".ssh/authorized_keys2" part and it causes problems with some apps (freenx in particular).

I can obviously overwrite configuration by a script to fix this problem but I wonder if Scalarizr require this particular configuration for some reasons. Also, I have a suspicion that Scalarizr may restore this configuration on upgrade, I will not be able to capture this event and it will break the system.

So, my question is what would be the best way to address this issue?

Thanks.


Marat Komarov

unread,
Sep 1, 2015, 4:20:02 AM9/1/15
to scalr-discuss
Hi,

This configuration is applied on Scalarizr startup, so upgrade or just service restart will override your settings. 

What cloud platform are you running? This setting is required only by OpenStack/CloudStack but currently applied everywhere, and we'll tweak this in nearest update.

Regards,
Marat

Dmitri Toubelis

unread,
Sep 1, 2015, 11:17:49 AM9/1/15
to scalr-discuss
Our instances are in Amazon cloud and we use FreeNX with Centos5 for running legacy software and upgrade is not an option. The version of sshd that ships with Centos5 does not support multiple options for AuthorizedKeysFile (newer versions of sshd do), so something like "AuthorizedKeysFile %h/.ssh/authorized_keys %h/.ssh/authorized_keys2" will not work on Centos5 but it seems that ".ssh/authorized_keys .ssh/authorized_keys2" this is the default. So the only way to make FreeNX work is to comment out  all occurrences of AuthorizedKeysFile line entirely and this is where scalarizr agent steps in to cause problems. So, I think your suggestion to only set this parameter on clouds that require it is the only sensible way to do it.

Essentially as of now we cannot use FreeNX with any instances started by Scalr and there is no workaround. This is a major roadblock for my client as they intend to abandon RightScale by the end of this year and Scalr is a plausible candidate. So, please consider addressing this issue in your future releases.

Regards,
Dmitri
Reply all
Reply to author
Forward
0 new messages