Ubuntu
ec2-instance-connect package

Please update ec2-instance-connect to 1.1.12 release

Bug #1860142 reported by Balint Reczey
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
ec2-instance-connect (Ubuntu)
Fix Released
Undecided
Unassigned
Xenial
Fix Released
Undecided
Unassigned
Bionic
Fix Released
Undecided
Unassigned
Disco
Won't Fix
Undecided
Unassigned
Eoan
Fix Released
Undecided
Unassigned

Bug Description

[Impact]

New upstream release of the package providing SSH access to instances; available to any AWS users. The most notable new feature is supporting Instance Metadata Service Version 2, but since the release included major rewrite which honored on Security Team's input the package is backported in full.

[Test Cases]
This is manually tested by Amazon:

0) Deploy an Amazon AWS instance with Instance Connect feature enabled
1) Install the previous version of the ec2-instance-connect package
2) Verify that the sshd process has been restarted with the changed command-line, now including "AuthorizedKeysCommand*" options.
3) Attempt to connect to the instance using a SSH key that is known by the Instance Connect service.
4) Upgrade to the new version of the package
5) Attempt to connect to the instance using a SSH key that is known by the Instance Connect service.
6) Purge the ec2-instance-connect package
7) Configure the instance to use IMDSv2
8) Install the new ec2-instance-connect again and verify that is working again (steps 2 and 3)

[Regression Potential]
Limited to SSH access on instances where the package gets installed. This package will be installed by default for a new service called "Instance Connect" provided to AWS customers. In the case of an issue, things to watch out for would be for some keys to not be usable to connect to the instance when they are expected to be, as the list of authorized keys is collated by the service to include both the usual authorized_keys contents, as well as keys provided by the Instance Connect service.

The package upgrade is covered in the test case.

[Other Info]
The source difference for the SRUs contain a lot of extra files because the source now contains almost the full upstream tarball, but the difference between the binary packages is still minimal and it maybe easier to reviewing that difference.

Disco SRU is skipped because it goes EOL before the aging of the package would finish.

See original description
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ec2-instance-connect - 1.1.12+dfsg1-0ubuntu1

---------------
ec2-instance-connect (1.1.12+dfsg1-0ubuntu1) focal; urgency=medium

  [ Balint Reczey ]
  * New upstream version 1.1.11:
    - Removing errant write to /tmp
    - Cleaning up bad bash practices, including umask race condition
    - Fix for an update to openssl (or dependencies) affecting behavior
      of CApath option on openssl verify
    - Fixing Nitro behavior of hostkey harvesting
    - Adding additional licensing headers
  * New upstream version 1.1.12 (LP: #1860142):
    - Adding support for Instance Metadata Service Version 2
    - Modifying cURL invocation to avoid need for eval
    - Cleaning up shellcheck catches
  * debian/install: Adjust for new upstream source layout
  * Suppress systemctl messages and ignore error in maintainer scripts
  * Bump compat level to 10

  [ LordAlfredo ]
  * Rely on debhelper to enable and start systemd service

 -- Balint Reczey <email address hidden> Fri, 17 Jan 2020 11:59:21 +0100

Changed in ec2-instance-connect (Ubuntu):
status: New → Fix Released
Francis Ginther (fginther)
tags: added: id-5e1e340b6338410899d33213
Balint Reczey (rbalint)
description: updated
Balint Reczey (rbalint)
description: updated
description: updated
Balint Reczey (rbalint)
description: updated
Changed in ec2-instance-connect (Ubuntu Disco):
status: New → Won't Fix
Balint Reczey (rbalint)
description: updated
Revision history for this message
Chris Halse Rogers (raof) wrote : Please test proposed package

Hello Balint, or anyone else affected,

Accepted ec2-instance-connect into eoan-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/ec2-instance-connect/1.1.12+dfsg1-0ubuntu1~19.10.0 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-eoan to verification-done-eoan. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-eoan. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in ec2-instance-connect (Ubuntu Eoan):
status: New → Fix Committed
tags: added: verification-needed verification-needed-eoan
Chris Halse Rogers (raof)
Changed in ec2-instance-connect (Ubuntu Bionic):
status: New → Fix Committed
tags: added: verification-needed-bionic
Revision history for this message
Chris Halse Rogers (raof) wrote :

Hello Balint, or anyone else affected,

Accepted ec2-instance-connect into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/ec2-instance-connect/1.1.12+dfsg1-0ubuntu1~16.04.0 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-xenial to verification-done-xenial. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-xenial. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in ec2-instance-connect (Ubuntu Xenial):
status: New → Fix Committed
tags: added: verification-needed-xenial
Revision history for this message
Balint Reczey (rbalint) wrote :
Download full text (4.3 KiB)

Verified 1.1.12+dfsg1-0ubuntu1~16.04.0 on Xenial:

ubuntu@ip-172-31-23-71:~$ sudo apt install ec2-instance-connect
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following NEW packages will be installed:
  ec2-instance-connect
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 11.4 kB of archives.
After this operation, 48.1 kB of additional disk space will be used.
Get:1 http://us-east-2.ec2.archive.ubuntu.com/ubuntu xenial-updates/universe amd64 ec2-instance-connect all 1.1.9-0ubuntu3~16.04.1 [11.4 kB]
Fetched 11.4 kB in 0s (106 kB/s)
Selecting previously unselected package ec2-instance-connect.
(Reading database ... 76553 files and directories currently installed.)
Preparing to unpack .../ec2-instance-connect_1.1.9-0ubuntu3~16.04.1_all.deb ...
Created system user ec2-instance-connect
Unpacking ec2-instance-connect (1.1.9-0ubuntu3~16.04.1) ...
Setting up ec2-instance-connect (1.1.9-0ubuntu3~16.04.1) ...
sshd override added, restarting daemon
ubuntu@ip-172-31-23-71:~$ sudo sed -i s/backports/proposed/ /etc/apt/sources.list
ubuntu@ip-172-31-23-71:~$ sudo apt update -qq
24 packages can be upgraded. Run 'apt list --upgradable' to see them.
ubuntu@ip-172-31-23-71:~$ sudo apt install -q ec2-instance-connect
Reading package lists...
Building dependency tree...
Reading state information...
The following packages will be upgraded:
  ec2-instance-connect
1 upgraded, 0 newly installed, 0 to remove and 23 not upgraded.
Need to get 12.7 kB of archives.
After this operation, 7,168 B of additional disk space will be used.
Get:1 http://us-east-2.ec2.archive.ubuntu.com/ubuntu xenial-proposed/universe amd64 ec2-instance-connect all 1.1.12+dfsg1-0ubuntu1~16.04.0 [12.7 kB]
Fetched 12.7 kB in 0s (247 kB/s)
(Reading database ... 76562 files and directories currently installed.)
Preparing to unpack .../ec2-instance-connect_1.1.12+dfsg1-0ubuntu1~16.04.0_all.deb ...
Unpacking ec2-instance-connect (1.1.12+dfsg1-0ubuntu1~16.04.0) over (1.1.9-0ubuntu3~16.04.1) ...
Setting up ec2-instance-connect (1.1.12+dfsg1-0ubuntu1~16.04.0) ...
ubuntu@ip-172-31-23-71:~$ sudo apt purge ec2-instance-connect
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following packages will be REMOVED:
  ec2-instance-connect*
0 upgraded, 0 newly installed, 1 to remove and 23 not upgraded.
After this operation, 55.3 kB disk space will be freed.
Do you want to continue? [Y/n]
(Reading database ... 76562 files and directories currently installed.)
Removing ec2-instance-connect (1.1.12+dfsg1-0ubuntu1~16.04.0) ...
sshd override removed, restarting daemon...
Deleted system user ec2-instance-connect
Purging configuration files for ec2-instance-connect (1.1.12+dfsg1-0ubuntu1~16.04.0) ...
Deleted system user ec2-instance-connect
(failed reverse-i-search)`apit in': sudo ^Ct purge ec2-instance-connect
ubuntu@ip-172-31-23-71:~$ sudo apt install -q ec2-instance-connect
Reading package lists...
Building dependency tree...
Reading state information...
The following NEW packages will be installed:
  ec2-instance-connect
0 upgraded, 1 newly installed, 0 to remove and 23 not...

Read more...

Revision history for this message
Balint Reczey (rbalint) wrote :

I'm observing slow connection after package upgrade on Bionic, will triage further.

Revision history for this message
Steve Langasek (vorlon) wrote :

I don't understand the debian/preinst change, which is removing on upgrade /lib/systemd/system/ssh.service.d/ec2-instance-connect.conf but that file is shipped in the new version of the package.

And restarting ssh in the prerm of ec2-instance-connect doesn't make sense, the drop-in will still be on disk. The restart certainly needs to happen in the postrm.

Changed in ec2-instance-connect (Ubuntu Eoan):
status: Fix Committed → Incomplete
Revision history for this message
Steve Langasek (vorlon) wrote :

(This is in reference to the new version that's currently in the unapproved queue)

Balint Reczey (rbalint)
Changed in ec2-instance-connect (Ubuntu Eoan):
status: Incomplete → In Progress
Revision history for this message
Balint Reczey (rbalint) wrote :

@vorlon Thank you for the review. I've removed the obsolete steps in Focal and reuploaded the proposed SRU backports.

Balint Reczey (rbalint)
Changed in ec2-instance-connect (Ubuntu Bionic):
status: Fix Committed → In Progress
Changed in ec2-instance-connect (Ubuntu Xenial):
status: Fix Committed → In Progress
Mathew Hodson (mhodson)
tags: added: upgrade-software-version
Revision history for this message
Łukasz Zemczak (sil2100) wrote :

Hello Balint, or anyone else affected,

Accepted ec2-instance-connect into eoan-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/ec2-instance-connect/1.1.12+dfsg1-0ubuntu3~19.10.0 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-eoan to verification-done-eoan. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-eoan. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in ec2-instance-connect (Ubuntu Eoan):
status: In Progress → Fix Committed
Revision history for this message
Łukasz Zemczak (sil2100) wrote :

Hello Balint, or anyone else affected,

Accepted ec2-instance-connect into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/ec2-instance-connect/1.1.12+dfsg1-0ubuntu3~18.04.0 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in ec2-instance-connect (Ubuntu Bionic):
status: In Progress → Fix Committed
Revision history for this message
Łukasz Zemczak (sil2100) wrote :

Hello Balint, or anyone else affected,

Accepted ec2-instance-connect into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/ec2-instance-connect/1.1.12+dfsg1-0ubuntu3~16.04.0 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-xenial to verification-done-xenial. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-xenial. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in ec2-instance-connect (Ubuntu Xenial):
status: In Progress → Fix Committed
Revision history for this message
Balint Reczey (rbalint) wrote :
Download full text (9.2 KiB)

Verified 1.1.12+dfsg1-0ubuntu3~19.10.0 on Eoan:
ubuntu@ip-172-31-30-118:~$ sudo apt -y install -qq ec2-instance-connect
The following package was automatically installed and is no longer required:
  libdumbnet1
Use 'sudo apt autoremove' to remove it.
The following NEW packages will be installed:
  ec2-instance-connect
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 11.4 kB of archives.
After this operation, 48.1 kB of additional disk space will be used.
Selecting previously unselected package ec2-instance-connect.
(Reading database ... 86215 files and directories currently installed.)
Preparing to unpack .../ec2-instance-connect_1.1.9-0ubuntu3_all.deb ...
Created system user ec2-instance-connect
Unpacking ec2-instance-connect (1.1.9-0ubuntu3) ...
Setting up ec2-instance-connect (1.1.9-0ubuntu3) ...
Created symlink /etc/systemd/system/multi-user.target.wants/ec2-instance-connect.service → /lib/systemd/system/ec2-instance-connect.service.
sshd override added, restarting daemon
ubuntu@ip-172-31-30-118:~$
ubuntu@ip-172-31-30-118:~$
ubuntu@ip-172-31-30-118:~$
ubuntu@ip-172-31-30-118:~$
ubuntu@ip-172-31-30-118:~$
ubuntu@ip-172-31-30-118:~$ service sshd status
● ssh.service - OpenBSD Secure Shell server
   Loaded: loaded (/lib/systemd/system/ssh.service; enabled; vendor preset: enabled)
  Drop-In: /usr/lib/systemd/system/ssh.service.d
           └─ec2-instance-connect.conf
   Active: active (running) since Mon 2020-02-24 16:28:57 UTC; 14min ago
     Docs: man:sshd(8)
           man:sshd_config(5)
  Process: 29680 ExecStartPre=/usr/sbin/sshd -t (code=exited, status=0/SUCCESS)
 Main PID: 29681 (sshd)
    Tasks: 1 (limit: 1145)
   Memory: 4.1M
   CGroup: /system.slice/ssh.service
           └─29681 /usr/sbin/sshd -D -o AuthorizedKeysCommand /usr/share/ec2-instance-connect/eic_run_authorized_keys %u %f -o AuthorizedKeysCommandUser ec2-instance-connect

Feb 24 16:29:16 ip-172-31-30-118 sshd[29739]: pam_unix(sshd:session): session opened for user ubuntu by (uid=0)
Feb 24 16:38:00 ip-172-31-30-118 sshd[30184]: Invalid user admin from 141.98.81.150 port 38095
Feb 24 16:38:00 ip-172-31-30-118 sshd[30184]: Connection closed by invalid user admin 141.98.81.150 port 38095 [preauth]
Feb 24 16:42:19 ip-172-31-30-118 sshd[30187]: error: kex_exchange_identification: Connection closed by remote host
Feb 24 16:42:38 ip-172-31-30-118 sshd[30188]: Received disconnect from 140.238.164.68 port 55574:11: Normal Shutdown, Thank you for playing [preauth]
Feb 24 16:42:38 ip-172-31-30-118 sshd[30188]: Disconnected from authenticating user root 140.238.164.68 port 55574 [preauth]
Feb 24 16:42:51 ip-172-31-30-118 sshd[30190]: Received disconnect from 140.238.164.68 port 53314:11: Normal Shutdown, Thank you for playing [preauth]
Feb 24 16:42:51 ip-172-31-30-118 sshd[30190]: Disconnected from authenticating user root 140.238.164.68 port 53314 [preauth]
Feb 24 16:43:04 ip-172-31-30-118 sshd[30192]: Received disconnect from 140.238.164.68 port 51064:11: Normal Shutdown, Thank you for playing [preauth]
Feb 24 16:43:04 ip-172-31-30-118 sshd[30192]: Disconnected from authenticating user root 140.238.164.68 port 51064 [preauth]
ubuntu@ip-172-31-30-118:~$...

Read more...

tags: added: verification-done-eoan
removed: verification-needed-eoan
Revision history for this message
Balint Reczey (rbalint) wrote :
Download full text (6.6 KiB)

Verified 1.1.12+dfsg1-0ubuntu3~18.04.0 on Bionic.

ubuntu@ip-172-31-42-192:~$ sudo apt -y install -qq ec2-instance-connect
The following NEW packages will be installed:
  ec2-instance-connect
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 11.4 kB of archives.
After this operation, 48.1 kB of additional disk space will be used.
Selecting previously unselected package ec2-instance-connect.
(Reading database ... 83945 files and directories currently installed.)
Preparing to unpack .../ec2-instance-connect_1.1.9-0ubuntu3~18.04.1_all.deb ...
Created system user ec2-instance-connect
Unpacking ec2-instance-connect (1.1.9-0ubuntu3~18.04.1) ...
Setting up ec2-instance-connect (1.1.9-0ubuntu3~18.04.1) ...
Created symlink /etc/systemd/system/multi-user.target.wants/ec2-instance-connect.service → /lib/systemd/system/ec2-instance-connect.service.
sshd override added, restarting daemon
ubuntu@ip-172-31-42-192:~$ service sshd status
● ssh.service - OpenBSD Secure Shell server
   Loaded: loaded (/lib/systemd/system/ssh.service; enabled; vendor preset: enabled)
  Drop-In: /lib/systemd/system/ssh.service.d
           └─ec2-instance-connect.conf
   Active: active (running) since Mon 2020-02-24 16:53:18 UTC; 2s ago
  Process: 25720 ExecStartPre=/usr/sbin/sshd -t (code=exited, status=0/SUCCESS)
 Main PID: 25721 (sshd)
    Tasks: 1 (limit: 1152)
   CGroup: /system.slice/ssh.service
           └─25721 /usr/sbin/sshd -D -o AuthorizedKeysCommand /usr/share/ec2-instance-connect/eic_run_authorized_keys %u %f -o AuthorizedKeysCommandUser ec2-instance-connect

Feb 24 16:53:18 ip-172-31-42-192 systemd[1]: Stopped OpenBSD Secure Shell server.
Feb 24 16:53:18 ip-172-31-42-192 systemd[1]: Starting OpenBSD Secure Shell server...
Feb 24 16:53:18 ip-172-31-42-192 sshd[25721]: Server listening on 0.0.0.0 port 22.
Feb 24 16:53:18 ip-172-31-42-192 sshd[25721]: Server listening on :: port 22.
Feb 24 16:53:18 ip-172-31-42-192 systemd[1]: Started OpenBSD Secure Shell server.
ubuntu@ip-172-31-42-192:~$ sudo sed -i s/backports/proposed/ /etc/apt/sources.list
ubuntu@ip-172-31-42-192:~$ sudo apt update -qq
26 packages can be upgraded. Run 'apt list --upgradable' to see them.
ubuntu@ip-172-31-42-192:~$ sudo apt-get -qqy install ec2-instance-connect
(Reading database ... 83954 files and directories currently installed.)
Preparing to unpack .../ec2-instance-connect_1.1.12+dfsg1-0ubuntu3~18.04.0_all.deb ...
Unpacking ec2-instance-connect (1.1.12+dfsg1-0ubuntu3~18.04.0) over (1.1.9-0ubuntu3~18.04.1) ...
Setting up ec2-instance-connect (1.1.12+dfsg1-0ubuntu3~18.04.0) ...
sshd override added, restarting daemon
ubuntu@ip-172-31-42-192:~$ service sshd status
● ssh.service - OpenBSD Secure Shell server
   Loaded: loaded (/lib/systemd/system/ssh.service; enabled; vendor preset: enabled)
  Drop-In: /lib/systemd/system/ssh.service.d
           └─ec2-instance-connect.conf
   Active: active (running) since Mon 2020-02-24 16:55:56 UTC; 3s ago
  Process: 26692 ExecStartPre=/usr/sbin/sshd -t (code=exited, status=0/SUCCESS)
 Main PID: 26703 (sshd)
    Tasks: 1 (limit: 1152)
   CGroup: /system.slice/ssh.service
           └─26703 /usr/sbin/sshd -D -o AuthorizedKeysCommand /usr/s...

Read more...

Revision history for this message
Balint Reczey (rbalint) wrote :
Download full text (7.0 KiB)

Verified 1.1.12+dfsg1-0ubuntu3~16.04.0 on Xenial. With the previous version Instance Connect did not connect, but it worked with the updated version.

ubuntu@ip-172-31-35-36:~$ sudo apt -y install -qq ec2-instance-connect
The following NEW packages will be installed:
  ec2-instance-connect
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 11.4 kB of archives.
After this operation, 48.1 kB of additional disk space will be used.
Selecting previously unselected package ec2-instance-connect.
(Reading database ... 76560 files and directories currently installed.)
Preparing to unpack .../ec2-instance-connect_1.1.9-0ubuntu3~16.04.1_all.deb ...
Created system user ec2-instance-connect
Unpacking ec2-instance-connect (1.1.9-0ubuntu3~16.04.1) ...
Setting up ec2-instance-connect (1.1.9-0ubuntu3~16.04.1) ...
sshd override added, restarting daemon
ubuntu@ip-172-31-35-36:~$ service sshd status
● ssh.service - OpenBSD Secure Shell server
   Loaded: loaded (/lib/systemd/system/ssh.service; enabled; vendor preset: enabled)
  Drop-In: /lib/systemd/system/ssh.service.d
           └─ec2-instance-connect.conf
   Active: active (running) since Mon 2020-02-24 16:52:25 UTC; 40s ago
  Process: 25577 ExecStartPre=/usr/sbin/sshd -t (code=exited, status=0/SUCCESS)
 Main PID: 25581 (sshd)
    Tasks: 1
   Memory: 792.0K
      CPU: 177ms
   CGroup: /system.slice/ssh.service
           └─25581 /usr/sbin/sshd -D -o AuthorizedKeysCommand /usr/share/ec2-instance-connect/eic_run_authorized_keys %u %f -o AuthorizedKeysCommandUser ec2-instance-connect

Feb 24 16:52:25 ip-172-31-35-36 systemd[1]: Starting OpenBSD Secure Shell server...
Feb 24 16:52:25 ip-172-31-35-36 sshd[25581]: Server listening on 0.0.0.0 port 22.
Feb 24 16:52:25 ip-172-31-35-36 sshd[25581]: Server listening on :: port 22.
Feb 24 16:52:25 ip-172-31-35-36 systemd[1]: Started OpenBSD Secure Shell server.
Feb 24 16:52:48 ip-172-31-35-36 sshd[25611]: Connection closed by 18.188.9.33 port 15596 [preauth]
Feb 24 16:52:48 ip-172-31-35-36 sshd[25643]: Connection closed by 18.188.9.33 port 54735 [preauth]
Feb 24 16:53:04 ip-172-31-35-36 sshd[25675]: Connection closed by 18.188.9.33 port 44464 [preauth]
Feb 24 16:53:04 ip-172-31-35-36 sshd[25707]: Connection closed by 18.188.9.33 port 27716 [preauth]
ubuntu@ip-172-31-35-36:~$ sudo sed -i s/backports/proposed/ /etc/apt/sources.list
ubuntu@ip-172-31-35-36:~$ sudo apt update -qq
19 packages can be upgraded. Run 'apt list --upgradable' to see them.
ubuntu@ip-172-31-35-36:~$ sudo apt-get -qqy install ec2-instance-connect
(Reading database ... 76569 files and directories currently installed.)
Preparing to unpack .../ec2-instance-connect_1.1.12+dfsg1-0ubuntu3~16.04.0_all.deb ...
Unpacking ec2-instance-connect (1.1.12+dfsg1-0ubuntu3~16.04.0) over (1.1.9-0ubuntu3~16.04.1) ...
Setting up ec2-instance-connect (1.1.12+dfsg1-0ubuntu3~16.04.0) ...
sshd override added, restarting daemon
ubuntu@ip-172-31-35-36:~$ service sshd status
● ssh.service - OpenBSD Secure Shell server
   Loaded: loaded (/lib/systemd/system/ssh.service; enabled; vendor preset: enabled)
  Drop-In: /lib/systemd/system/ssh.service.d
           └─ec2-instance-connect.conf
   Active: active (ru...

Read more...

tags: added: verification-done verification-done-bionic verification-done-xenial
removed: verification-needed verification-needed-bionic verification-needed-xenial
Revision history for this message
Balint Reczey (rbalint) wrote :
Download full text (4.5 KiB)

Verified maintainer script warning on all releases:

root@bb-proposed:~# grep AuthorizedKeysCommand /etc/ssh/sshd_config
AuthorizedKeysCommand /bin/false
#AuthorizedKeysCommandUser nobody
root@bb-proposed:~# apt install -qq ec2-instance-connect
The following package was automatically installed and is no longer required:
  libfreetype6
Use 'apt autoremove' to remove it.
The following NEW packages will be installed:
  ec2-instance-connect
0 upgraded, 1 newly installed, 0 to remove and 76 not upgraded.
Need to get 12.6 kB of archives.
After this operation, 57.3 kB of additional disk space will be used.
Selecting previously unselected package ec2-instance-connect.
(Reading database ... 36957 files and directories currently installed.)
Preparing to unpack .../ec2-instance-connect_1.1.12+dfsg1-0ubuntu3~18.04.0_all.deb ...
Created system user ec2-instance-connect
Unpacking ec2-instance-connect (1.1.12+dfsg1-0ubuntu3~18.04.0) ...
Setting up ec2-instance-connect (1.1.12+dfsg1-0ubuntu3~18.04.0) ...
Created symlink /etc/systemd/system/multi-user.target.wants/ec2-instance-connect.service → /lib/systemd/system/ec2-
instance-connect.service.
Job for ec2-instance-connect.service failed because the control process exited with error code.
See "systemctl status ec2-instance-connect.service" and "journalctl -xe" for details.
ERROR: Not restarting ssh because /etc/ssh/sshd_config already sets
ERROR: AuthorizedKeysCommand*, which is also set by
ERROR: /lib/systemd/system/ssh.service.d/ec2-instance-connect.conf.
Please restart ssh manually if the configuration is correct.
root@bb-proposed:~#

root@ee-proposed:~# grep AuthorizedKeysCommand /etc/ssh/sshd_config
AuthorizedKeysCommand /bin/false
#AuthorizedKeysCommandUser nobody
root@ee-proposed:~# apt install -qq ec2-instance-connect
The following packages were automatically installed and are no longer required:
  command-not-found-data libdumbnet1 libidn11 libip4tc0 libip6tc0 multiarch-support
Use 'apt autoremove' to remove them.
The following NEW packages will be installed:
  ec2-instance-connect
0 upgraded, 1 newly installed, 0 to remove and 34 not upgraded.
Need to get 12.6 kB of archives.
After this operation, 57.3 kB of additional disk space will be used.
Selecting previously unselected package ec2-instance-connect.
(Reading database ... 32593 files and directories currently installed.)
Preparing to unpack .../ec2-instance-connect_1.1.12+dfsg1-0ubuntu3~19.10.0_all.deb ...
Created system user ec2-instance-connect
Unpacking ec2-instance-connect (1.1.12+dfsg1-0ubuntu3~19.10.0) ...
Setting up ec2-instance-connect (1.1.12+dfsg1-0ubuntu3~19.10.0) ...
Created symlink /etc/systemd/system/multi-user.target.wants/ec2-instance-connect.service → /lib/systemd/system/ec2-
instance-connect.service.
Job for ec2-instance-connect.service failed because the control process exited with error code.
See "systemctl status ec2-instance-connect.service" and "journalctl -xe" for details.
ERROR: Not restarting ssh because /etc/ssh/sshd_config already sets
ERROR: AuthorizedKeysCommand*, which is also set by
ERROR: /lib/systemd/system/ssh.service.d/ec2-instance-connect.conf.
Please restart ssh manually if the configuration is corr...

Read more...

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ec2-instance-connect - 1.1.12+dfsg1-0ubuntu3~19.10.0

---------------
ec2-instance-connect (1.1.12+dfsg1-0ubuntu3~19.10.0) eoan; urgency=medium

  * Rebuild for Eoan

ec2-instance-connect (1.1.12+dfsg1-0ubuntu3) focal; urgency=medium

  * debian/preinst: Don't remove ec2-instance-connect.conf manually on upgrade
  * debian/prerm: Drop obsolete file

ec2-instance-connect (1.1.12+dfsg1-0ubuntu2) focal; urgency=medium

  * Ship ssh.service drop-in instead of handling placement in maintainer scripts
    (LP: #1861909)

ec2-instance-connect (1.1.12+dfsg1-0ubuntu1) focal; urgency=medium

  [ Balint Reczey ]
  * New upstream version 1.1.11:
    - Removing errant write to /tmp
    - Cleaning up bad bash practices, including umask race condition
    - Fix for an update to openssl (or dependencies) affecting behavior
      of CApath option on openssl verify
    - Fixing Nitro behavior of hostkey harvesting
    - Adding additional licensing headers
  * New upstream version 1.1.12 (LP: #1860142):
    - Adding support for Instance Metadata Service Version 2
    - Modifying cURL invocation to avoid need for eval
    - Cleaning up shellcheck catches
  * debian/install: Adjust for new upstream source layout
  * Suppress systemctl messages and ignore error in maintainer scripts
  * Bump compat level to 10

  [ LordAlfredo ]
  * Rely on debhelper to enable and start systemd service

 -- Balint Reczey <email address hidden> Mon, 10 Feb 2020 21:26:44 +0100

Changed in ec2-instance-connect (Ubuntu Eoan):
status: Fix Committed → Fix Released
Revision history for this message
Łukasz Zemczak (sil2100) wrote : Update Released

The verification of the Stable Release Update for ec2-instance-connect has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ec2-instance-connect - 1.1.12+dfsg1-0ubuntu3~18.04.0

---------------
ec2-instance-connect (1.1.12+dfsg1-0ubuntu3~18.04.0) bionic; urgency=medium

  * Rebuild for Bionic

ec2-instance-connect (1.1.12+dfsg1-0ubuntu3) focal; urgency=medium

  * debian/preinst: Don't remove ec2-instance-connect.conf manually on upgrade
  * debian/prerm: Drop obsolete file

ec2-instance-connect (1.1.12+dfsg1-0ubuntu2) focal; urgency=medium

  * Ship ssh.service drop-in instead of handling placement in maintainer scripts
    (LP: #1861909)

ec2-instance-connect (1.1.12+dfsg1-0ubuntu1) focal; urgency=medium

  [ Balint Reczey ]
  * New upstream version 1.1.11:
    - Removing errant write to /tmp
    - Cleaning up bad bash practices, including umask race condition
    - Fix for an update to openssl (or dependencies) affecting behavior
      of CApath option on openssl verify
    - Fixing Nitro behavior of hostkey harvesting
    - Adding additional licensing headers
  * New upstream version 1.1.12 (LP: #1860142):
    - Adding support for Instance Metadata Service Version 2
    - Modifying cURL invocation to avoid need for eval
    - Cleaning up shellcheck catches
  * debian/install: Adjust for new upstream source layout
  * Suppress systemctl messages and ignore error in maintainer scripts
  * Bump compat level to 10

  [ LordAlfredo ]
  * Rely on debhelper to enable and start systemd service

 -- Balint Reczey <email address hidden> Mon, 10 Feb 2020 21:26:44 +0100

Changed in ec2-instance-connect (Ubuntu Bionic):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ec2-instance-connect - 1.1.12+dfsg1-0ubuntu3~16.04.0

---------------
ec2-instance-connect (1.1.12+dfsg1-0ubuntu3~16.04.0) xenial; urgency=medium

  * Rebuild for Xenial

ec2-instance-connect (1.1.12+dfsg1-0ubuntu3) focal; urgency=medium

  * debian/preinst: Don't remove ec2-instance-connect.conf manually on upgrade
  * debian/prerm: Drop obsolete file

ec2-instance-connect (1.1.12+dfsg1-0ubuntu2) focal; urgency=medium

  * Ship ssh.service drop-in instead of handling placement in maintainer scripts
    (LP: #1861909)

ec2-instance-connect (1.1.12+dfsg1-0ubuntu1) focal; urgency=medium

  [ Balint Reczey ]
  * New upstream version 1.1.11:
    - Removing errant write to /tmp
    - Cleaning up bad bash practices, including umask race condition
    - Fix for an update to openssl (or dependencies) affecting behavior
      of CApath option on openssl verify
    - Fixing Nitro behavior of hostkey harvesting
    - Adding additional licensing headers
  * New upstream version 1.1.12 (LP: #1860142):
    - Adding support for Instance Metadata Service Version 2
    - Modifying cURL invocation to avoid need for eval
    - Cleaning up shellcheck catches
  * debian/install: Adjust for new upstream source layout
  * Suppress systemctl messages and ignore error in maintainer scripts
  * Bump compat level to 10

  [ LordAlfredo ]
  * Rely on debhelper to enable and start systemd service

 -- Balint Reczey <email address hidden> Mon, 10 Feb 2020 21:26:44 +0100

Changed in ec2-instance-connect (Ubuntu Xenial):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.