This repository has been archived by the owner on Nov 8, 2021. It is now read-only.
-
-
Notifications
You must be signed in to change notification settings - Fork 288
Amazon Linux 2 delivers their own AuthorizedKeysCommand #142
Labels
Comments
@pitkley Thanks for your detailed investigation. Not sure how to deal with this. I'm also shocked that AWS introduces changes like this into the AL 2.0 release which seems to be a breaking change :) My current assumption is that Session Manager is a replacement of this project. |
To 'fix' this I put the following in my CF template: e_disable_aws_authorizedkeyscommand:
command: "sed -i 's@AuthorizedKeysCommand /usr/bin/timeout 5s /opt/aws/bin/curl_authorized_keys %u %f@#AuthorizedKeysCommand /usr/bin/timeout 5s /opt/aws/bin/curl_authorized_keys %u %f@g' /etc/ssh/sshd_config"
test: "grep -q '^AuthorizedKeysCommand /usr/bin/timeout 5s /opt/aws/bin/curl_authorized_keys %u %f' /etc/ssh/sshd_config"
f_disable_aws_authorizedkeyscommanduser:
command: "sed -i 's@AuthorizedKeysCommandUser ec2-instance-connect@#AuthorizedKeysCommandUser ec2-instance-connect@g' /etc/ssh/sshd_config"
test: "grep -q '^AuthorizedKeysCommandUser ec2-instance-connect' /etc/ssh/sshd_config" |
Should be addressed in a2b275e |
fixed in version 1.9.2 |
Thanks for the fix, @michaelwittig! 🎉 |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Metadata:
install.sh
The most recent update to Amazon Linux 2 introduces their own
AuthorizedKeysCommand
"to support an upcoming feature to read SSH public keys; from the EC2 instance metadata during the SSH connection process."Unfortunately this breaks aws-ec2-ssh in the
install_configure_sshd.sh
step during the install: given that bothAuthorizedKeysCommand
andAuthorizedKeysCommandUser
are predefined, the script will not update the commands, but rather just append them to the file.sshd's behavior here is to use the first instance of each of these properties, which means logging in with a key stored in IAM is not possible.
Now, I'm not sure if this is something that should be "solved" as part of this project, or if this is behavior that the end-user needs to workaround through e.g. CloudFormation Init.
Any input is appreciated.
The text was updated successfully, but these errors were encountered: