Skip to content
This repository has been archived by the owner on Nov 8, 2021. It is now read-only.

Amazon Linux 2 delivers their own AuthorizedKeysCommand #142

Closed
pitkley opened this issue Nov 16, 2018 · 5 comments
Closed

Amazon Linux 2 delivers their own AuthorizedKeysCommand #142

pitkley opened this issue Nov 16, 2018 · 5 comments
Assignees
@michaelwittig
Labels
amazon-linux2 bug

Comments

@pitkley
Copy link

pitkley commented Nov 16, 2018

Metadata:

  • Operating System: Amazon Linux 2 (2018-10-31+)
  • Installation method: install.sh
  • AWS CLI Version: –

The most recent update to Amazon Linux 2 introduces their own AuthorizedKeysCommand "to support an upcoming feature to read SSH public keys; from the EC2 instance metadata during the SSH connection process."

Unfortunately this breaks aws-ec2-ssh in the install_configure_sshd.sh step during the install: given that both AuthorizedKeysCommand and AuthorizedKeysCommandUser are predefined, the script will not update the commands, but rather just append them to the file.

sshd's behavior here is to use the first instance of each of these properties, which means logging in with a key stored in IAM is not possible.

Now, I'm not sure if this is something that should be "solved" as part of this project, or if this is behavior that the end-user needs to workaround through e.g. CloudFormation Init.

Any input is appreciated.
@michaelwittig
Copy link
Contributor

@pitkley Thanks for your detailed investigation. Not sure how to deal with this. I'm also shocked that AWS introduces changes like this into the AL 2.0 release which seems to be a breaking change :)

My current assumption is that Session Manager is a replacement of this project.

@mvanbaak
Copy link
Contributor

To 'fix' this I put the following in my CF template:

            e_disable_aws_authorizedkeyscommand:
              command: "sed -i 's@AuthorizedKeysCommand /usr/bin/timeout 5s /opt/aws/bin/curl_authorized_keys %u %f@#AuthorizedKeysCommand /usr/bin/timeout 5s /opt/aws/bin/curl_authorized_keys %u %f@g' /etc/ssh/sshd_config"
              test: "grep -q '^AuthorizedKeysCommand /usr/bin/timeout 5s /opt/aws/bin/curl_authorized_keys %u %f' /etc/ssh/sshd_config"
            f_disable_aws_authorizedkeyscommanduser:
              command: "sed -i 's@AuthorizedKeysCommandUser ec2-instance-connect@#AuthorizedKeysCommandUser ec2-instance-connect@g' /etc/ssh/sshd_config"
              test: "grep -q '^AuthorizedKeysCommandUser ec2-instance-connect' /etc/ssh/sshd_config"

@andreaswittig andreaswittig mentioned this issue Dec 28, 2018
Closed
@michaelwittig michaelwittig mentioned this issue Dec 28, 2018
Closed
@michaelwittig
Copy link
Contributor

Should be addressed in a2b275e

@michaelwittig michaelwittig self-assigned this Jan 7, 2019
@michaelwittig
Copy link
Contributor

fixed in version 1.9.2

@pitkley
Copy link
Author

pitkley commented Jan 7, 2019

Thanks for the fix, @michaelwittig! 🎉

@zxlin zxlin mentioned this issue Jun 17, 2020
Open
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@michaelwittig michaelwittig

Labels
amazon-linux2 bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@pitkley @michaelwittig @mvanbaak