Change admin container logic to use public keys from user-data

[jpculp]

Issue number:

N/A

Description of changes:

Adds jq to the container image.

Replaces IMDS logic with fetching public keys from user-data.

This change allows the admin container to be platform agnostic as it
retrieves its .ssh/authorized_keys from a base64-encoded
JSON-structured block in user-data rather than relying on the AWS
instance metadata service (IMDS) directly.

Example JSON: {"ssh":{"authorized_keys":[]}}

Also adds support for TrustedUserCAKeys.

This allows users who want to set TrustedUserCAKeys to do so by adding
them to the base64-encoded JSON-structured user-data block.

Example JSON: {"ssh":{"trusted_user_ca_keys":[]}}

Bumps version to v0.6.0.

Testing done:
Launched the new admin container on a bottlerocket instance containing shibaken and verified that SSH access was still available.

After that, I went through several test cases of disabling the admin container, posting a new base64-encoded block to host-containers.admin.user-data, re-enabling the admin container, and checking the connection.

• ✅ Empty JSON Structure (expected fail)
• ✅ Custom authorized key
• ✅ Several keys, some good, some bad (only the strings that could be parsed by ssh-keygen were present in authorized_keys)
• ✅ Authorized key AND trusted user CA key (.ssh/authorized_keys, /etc/ssh/trusted_user_ca_keys.pub, and /etc/ssh/sshd_config looked as expected)
• ✅ Removed authorized key so that only trusted user CA key was available

Terms of contribution:

By submitting this pull request, I agree that this contribution is dual-licensed under the terms of both the Apache License, version 2.0, and the MIT license.

[jahkeup]

Related to changes in PR bottlerocket-os/bottlerocket#1331

[jahkeup]

Small scripty changes - thanks for rolling this up with bottlerocket-os/bottlerocket#1331 👍🏽

[jahkeup]

Typically ++n is used in very specific use cases and tickles my spideysenses - can we switch to n++?

Suggested change

	((++available_auth_methods))
	((available_auth_methods++))

[jpculp]

I gave this a shot, but the container seemed to stop immediately after the first instance:

+ [[ ! -s /home/ec2-user/.ssh/authorized_keys ]]
+ (( available_auth_methods++ ))

I think this is due to the set -e at the top of the script.

[jahkeup]

Ah, yeah this would have to written as : (( available_auth_methods++ )) or let available_auth_methods++.

[jpculp]

It seems those also are causing an early exit.

[jahkeup]

It seems those also are causing an early exit.

TIL:

from bash -c 'help let'

Exit Status:
If the last ARG evaluates to 0, let returns 1; let returns 0 otherwise.

The : ((available_auth_methods++)) expression should be okay no matter what (because of : noop).

( x=0; set -x; : x++; echo $?; x=0; let x++; echo $?; x=0; let ++x; echo $?)
# + : x++
# + echo 0
# 0
# + x=0
# + let x++
# + echo 1
# 1
# + x=0
# + let ++x
# + echo 0
# 0

[zmrow]

I think this looks good - can you update the testing section in the PR description with the testing you've done?

🏐

[jahkeup]

This extra newline seems unneeded - the comment adds context if the intent is to break up the appended config from the prior. This isn't a sticking point though, if you want to keep this: feel free to leave it.

[jahkeup]

The echo msg >&2 is repeated throughout, instead of relying on the convention of redirection a function would make the intent clear and safer overall. It would reduce the chances that extra output is sent to subshell substitutes that are expecting data in stdout.

log() {
  echo "$*" >&2
}

Suggested change

	echo "Failed to parse authorized_keys from ${user_data}" >&2
	log "Failed to parse authorized_keys from ${user_data}"

Or, alternatively (using my go to log definition)

# log with date prefix. 
# 
# Suggested use: `log $LEVEL: $msg`
log() {
  echo "[$(date --iso-8601=s --utc)] $*" >&2
}

# with use as:

log "INFO: installed ssh authorized keys"
log "WARN: unable to parse trusted user CA certificates"
log "ERROR: unable to setup ssh with provided user data"

[jahkeup]

Let's put this above the mkdir and use it there to make sure we're being consistent throughout with directory creation and their early setup.

I'd also like to call this something else.. this isn't /etc/ssh/ssh_config (which would have been my guess once I lost this off my mental stack). May I suggest: user_ssh_dir. To me, this is far clearer in contexts like "$user_ssh_dir/authorized_keys" (vs. "$ssh_config_dir/authorized_keys", which could have been a system level ssh config directory).

[jahkeup]

I don't think we should be configuring an absolute path to the authorized keys. I haven't tried this myself, but I'd suspect that an absolute path would authorize all users with the given file, meaning any user could login as any user. Even so, sshd_config(5) has this to say:

AuthorizedKeysFile

  Specifies the file that contains the public keys used for user authentication.
  The format is described in the AUTHORIZED_KEYS FILE FORMAT section of sshd(8).
  Arguments to AuthorizedKeysFile accept the tokens described in the TOKENS
  section. After expansion, AuthorizedKeysFile is taken to be an absolute path
  or one relative to the user's home direc‐ tory. Multiple files may be listed,
  separated by whitespace. Alternately this option may be set to none to skip
  checking for user keys in files. 

  The default is ".ssh/authorized_keys .ssh/authorized_keys2".

I'm of a mind that we do not try to set or modify the option. The location we're installing the keys will work without adding the explicit path.

[jahkeup]

The ${ssh_config_dir} was created by the script, so we should make sure its chown'd before exiting. If users are doing anything to customize their image (and still using this script) then the directory may be inaccessible to them.

[jahkeup]

I'd like to see a distinct and (maybe) valid example here instead of duplicated ssh public key (its the same as authorized_keys. At the very least, I think having a dummy value like ssh-rsa example-ssh-ca-public-key-formatted-here authority@ssh-ca.example.com is preferred.

[jpculp]

• Switched echos "blah" >&2 to log()
• Renamed ssh_config_dir to user_ssh_dir
• Replaced hardcoded /home/ec2-user/.ssh with user_ssh_dir
• Tweaked cat/EOF block
• Removed echo "AuthorizedKeysFile ${ssh_authorized_keys}" >> "${sshd_config}"
• Moved chown ec2-user -R "${user_ssh_dir}" up to run before the possible exit due to authentication configuration failure

[bcressey]

nit: might be good to give this the same EXAMPLESSHPUBLICKEYFORMATTEDHERE treatment since the line is very long, and we want to be clear that this isn't a valid key that will give us access to the instance of anyone who copy/pastes this.

[jpculp]

You're right, it does look a little silly now. I'll change it to be more consistent.

Fun fact, the example key is from the IMDS documentation. (for anyone who is curious)

[bcressey]

This results in ~/.ssh getting created with the default umask, but the recommended default is 0700.

[bcressey]

Can this common block be factored out into its own function?

[bcressey]

nit: I'd move this up by parse_authorized_keys so it doesn't interrupt the flow here.

[jpculp]

Based on the other feedback, I'll create a single function to take care of both 😃

[bcressey]

Can this be set unconditionally and have sshd not complain too much if the file doesn't exist?

[bcressey]

ec2-user should be in a variable so it's easier to override and matches how user_ssh_dir is defined

[bcressey]

We don't need to use [[ here; seems like an unnecessary change. I prefer to use [ unless we're taking advantage of specific features that only [[ can provide.

[bcressey]

We should just log a warning and start sshd anyhow, so the container doesn't continually exit and restart - there's no chance that a simple restart will clear up a transient failure.

[jpculp]

• Consolidated parse_authorized_keys/parse_trusted_user_ca_keys into a single get_user_data_keys function.
• Reduced example authorized_key to something shorter.
• Added TrustedUserCAKeys directly to sshd_config.
• Replaced hardcoded ec2-user with variable local_user
• Replaced install with the original touch/chmod to keep things simple.
• Removed extraneous brackets.

[zmrow]

🎮