Ubuntu
ec2-instance-connect package

Please ship ec2-instance-connect.conf instead of creating it in postinst

Bug #1861909 reported by Balint Reczey
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
ec2-instance-connect (Ubuntu)
Fix Released
Undecided
Unassigned
Xenial
Fix Released
Undecided
Unassigned
Bionic
Fix Released
Undecided
Unassigned
Eoan
Fix Released
Undecided
Unassigned

Bug Description

[Impact]

 * The ssh.service drop-in is placed and removed in maintainer scripts based on the current ssh configuration checks which are incomplete. The drop-in is also not owned by the package.

[Test Case]

 * Install the fixed package. The drop-in should be listed among the package's files:
$ dpkg -L ec2-instance-connect
...
/lib/systemd/system/ssh.service.d/ec2-instance-connect.conf
...

* Upgrade package from previous version. The drop-in should replace the old one.

* Change /etc/ssh/sshd_config to set AuthorizedKeysCommand
  Install the fixed package. A warning should appear and sshd should not be restarted by the package's maintainer scripts.

[Regression Potential]

* The change is made to make installation and upgrades more reliable. The test cases check package installs and upgrades where regressions could happen due to implementation mistakes.
* The unfixed version of the package did not place the drop-in when it detected setting AuthorizedKeysCommand in sshd_conf, while the fixed version installs the drop-in, just does not restart the ssh service. This can block users from logging in via ssh if only the sshd_conf's AuthorizedKeysCommand configuration enabled their login and the ssh service got restarted after installing/upgrading ec2-instance-connect.
This is a known change in behavior and is mitigated by showing a warning when this potentially problematic configuration is detected. It is also worth noting that in case the drop-in overrides the configuration in sshd_conf it is still possible to log in via EC2 Instance Connect, the login method the package enables.

[Other Info]

See original description
Balint Reczey (rbalint)
description: updated
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ec2-instance-connect - 1.1.12+dfsg1-0ubuntu2

---------------
ec2-instance-connect (1.1.12+dfsg1-0ubuntu2) focal; urgency=medium

  * Ship ssh.service drop-in instead of handling placement in maintainer scripts
    (LP: #1861909)

 -- Balint Reczey <email address hidden> Tue, 04 Feb 2020 18:39:50 +0100

Changed in ec2-instance-connect (Ubuntu):
status: New → Fix Released
Revision history for this message
Łukasz Zemczak (sil2100) wrote : Please test proposed package

Hello Balint, or anyone else affected,

Accepted ec2-instance-connect into eoan-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/ec2-instance-connect/1.1.12+dfsg1-0ubuntu3~19.10.0 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-eoan to verification-done-eoan. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-eoan. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in ec2-instance-connect (Ubuntu Eoan):
status: New → Fix Committed
tags: added: verification-needed verification-needed-eoan
Revision history for this message
Łukasz Zemczak (sil2100) wrote :

Hello Balint, or anyone else affected,

Accepted ec2-instance-connect into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/ec2-instance-connect/1.1.12+dfsg1-0ubuntu3~18.04.0 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in ec2-instance-connect (Ubuntu Bionic):
status: New → Fix Committed
tags: added: verification-needed-bionic
Revision history for this message
Łukasz Zemczak (sil2100) wrote :

Hello Balint, or anyone else affected,

Accepted ec2-instance-connect into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/ec2-instance-connect/1.1.12+dfsg1-0ubuntu3~16.04.0 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-xenial to verification-done-xenial. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-xenial. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in ec2-instance-connect (Ubuntu Xenial):
status: New → Fix Committed
tags: added: verification-needed-xenial
Revision history for this message
Balint Reczey (rbalint) wrote :

Verified on Bionic:

ubuntu@ip-172-31-42-192:~$ dpkg -l ec2-instance-connect
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Architecture Description
+++-=====================================-=======================-=======================-================================================================================
ii ec2-instance-connect 1.1.12+dfsg1-0ubuntu3~1 all Configures ssh daemon to accept EC2 Instance Connect ssh keys
ubuntu@ip-172-31-42-192:~$ dpkg -L ec2-instance-connect | grep conf
/lib/systemd/system/ssh.service.d/ec2-instance-connect.conf
ubuntu@ip-172-31-42-192:~$

tags: added: verification-done-bionic
removed: verification-needed-bionic
Revision history for this message
Balint Reczey (rbalint) wrote :

Verified on Eoan:

root@ee-proposed:~# dpkg -l ec2-instance-connect
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Architecture Description
+++-====================-=============================-============-=============================================================
ii ec2-instance-connect 1.1.12+dfsg1-0ubuntu3~19.10.0 all Configures ssh daemon to accept EC2 Instance Connect ssh keys
root@ee-proposed:~# dpkg -L ec2-instance-connect | grep conf
/lib/systemd/system/ssh.service.d/ec2-instance-connect.conf
root@ee-proposed:~#

Revision history for this message
Balint Reczey (rbalint) wrote :

Verified on Xenial:

root@x-proposed:~# dpkg -l ec2-instance-connect | cat
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Architecture Description
+++-====================-=============================-============-=============================================================
ii ec2-instance-connect 1.1.12+dfsg1-0ubuntu3~16.04.0 all Configures ssh daemon to accept EC2 Instance Connect ssh keys
root@x-proposed:~# dpkg -L ec2-instance-connect | grep conf
/lib/systemd/system/ssh.service.d/ec2-instance-connect.conf

tags: added: verification-done verification-done-eoan verification-done-xenial
removed: verification-needed verification-needed-eoan verification-needed-xenial
Revision history for this message
Łukasz Zemczak (sil2100) wrote :

I assume a full verification has been done here, along with the upgrade scenario and change of /etc/ssh/sshd_config ?

Revision history for this message
Balint Reczey (rbalint) wrote :

@sil2100 Oh, no, I've missed that! Thanks for catching that!

tags: added: one one-eoan verification-dverification-needed-bionic verification-needed verification-needed-bionic verification-needed-xenial
removed: verification-done verification-done-bionic
Revision history for this message
Balint Reczey (rbalint) wrote :
Download full text (4.5 KiB)

Verified maintainer script warning on all releases:

root@bb-proposed:~# grep AuthorizedKeysCommand /etc/ssh/sshd_config
AuthorizedKeysCommand /bin/false
#AuthorizedKeysCommandUser nobody
root@bb-proposed:~# apt install -qq ec2-instance-connect
The following package was automatically installed and is no longer required:
  libfreetype6
Use 'apt autoremove' to remove it.
The following NEW packages will be installed:
  ec2-instance-connect
0 upgraded, 1 newly installed, 0 to remove and 76 not upgraded.
Need to get 12.6 kB of archives.
After this operation, 57.3 kB of additional disk space will be used.
Selecting previously unselected package ec2-instance-connect.
(Reading database ... 36957 files and directories currently installed.)
Preparing to unpack .../ec2-instance-connect_1.1.12+dfsg1-0ubuntu3~18.04.0_all.deb ...
Created system user ec2-instance-connect
Unpacking ec2-instance-connect (1.1.12+dfsg1-0ubuntu3~18.04.0) ...
Setting up ec2-instance-connect (1.1.12+dfsg1-0ubuntu3~18.04.0) ...
Created symlink /etc/systemd/system/multi-user.target.wants/ec2-instance-connect.service → /lib/systemd/system/ec2-
instance-connect.service.
Job for ec2-instance-connect.service failed because the control process exited with error code.
See "systemctl status ec2-instance-connect.service" and "journalctl -xe" for details.
ERROR: Not restarting ssh because /etc/ssh/sshd_config already sets
ERROR: AuthorizedKeysCommand*, which is also set by
ERROR: /lib/systemd/system/ssh.service.d/ec2-instance-connect.conf.
Please restart ssh manually if the configuration is correct.
root@bb-proposed:~#

root@ee-proposed:~# grep AuthorizedKeysCommand /etc/ssh/sshd_config
AuthorizedKeysCommand /bin/false
#AuthorizedKeysCommandUser nobody
root@ee-proposed:~# apt install -qq ec2-instance-connect
The following packages were automatically installed and are no longer required:
  command-not-found-data libdumbnet1 libidn11 libip4tc0 libip6tc0 multiarch-support
Use 'apt autoremove' to remove them.
The following NEW packages will be installed:
  ec2-instance-connect
0 upgraded, 1 newly installed, 0 to remove and 34 not upgraded.
Need to get 12.6 kB of archives.
After this operation, 57.3 kB of additional disk space will be used.
Selecting previously unselected package ec2-instance-connect.
(Reading database ... 32593 files and directories currently installed.)
Preparing to unpack .../ec2-instance-connect_1.1.12+dfsg1-0ubuntu3~19.10.0_all.deb ...
Created system user ec2-instance-connect
Unpacking ec2-instance-connect (1.1.12+dfsg1-0ubuntu3~19.10.0) ...
Setting up ec2-instance-connect (1.1.12+dfsg1-0ubuntu3~19.10.0) ...
Created symlink /etc/systemd/system/multi-user.target.wants/ec2-instance-connect.service → /lib/systemd/system/ec2-
instance-connect.service.
Job for ec2-instance-connect.service failed because the control process exited with error code.
See "systemctl status ec2-instance-connect.service" and "journalctl -xe" for details.
ERROR: Not restarting ssh because /etc/ssh/sshd_config already sets
ERROR: AuthorizedKeysCommand*, which is also set by
ERROR: /lib/systemd/system/ssh.service.d/ec2-instance-connect.conf.
Please restart ssh manually if the configuration is correct.
root...

Read more...

tags: added: verification-done verification-done-bionic
removed: one one-eoan verification-dverification-needed-bionic verification-needed verification-needed-bionic verification-needed-xenial
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ec2-instance-connect - 1.1.12+dfsg1-0ubuntu3~19.10.0

---------------
ec2-instance-connect (1.1.12+dfsg1-0ubuntu3~19.10.0) eoan; urgency=medium

  * Rebuild for Eoan

ec2-instance-connect (1.1.12+dfsg1-0ubuntu3) focal; urgency=medium

  * debian/preinst: Don't remove ec2-instance-connect.conf manually on upgrade
  * debian/prerm: Drop obsolete file

ec2-instance-connect (1.1.12+dfsg1-0ubuntu2) focal; urgency=medium

  * Ship ssh.service drop-in instead of handling placement in maintainer scripts
    (LP: #1861909)

ec2-instance-connect (1.1.12+dfsg1-0ubuntu1) focal; urgency=medium

  [ Balint Reczey ]
  * New upstream version 1.1.11:
    - Removing errant write to /tmp
    - Cleaning up bad bash practices, including umask race condition
    - Fix for an update to openssl (or dependencies) affecting behavior
      of CApath option on openssl verify
    - Fixing Nitro behavior of hostkey harvesting
    - Adding additional licensing headers
  * New upstream version 1.1.12 (LP: #1860142):
    - Adding support for Instance Metadata Service Version 2
    - Modifying cURL invocation to avoid need for eval
    - Cleaning up shellcheck catches
  * debian/install: Adjust for new upstream source layout
  * Suppress systemctl messages and ignore error in maintainer scripts
  * Bump compat level to 10

  [ LordAlfredo ]
  * Rely on debhelper to enable and start systemd service

 -- Balint Reczey <email address hidden> Mon, 10 Feb 2020 21:26:44 +0100

Changed in ec2-instance-connect (Ubuntu Eoan):
status: Fix Committed → Fix Released
Revision history for this message
Łukasz Zemczak (sil2100) wrote : Update Released

The verification of the Stable Release Update for ec2-instance-connect has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ec2-instance-connect - 1.1.12+dfsg1-0ubuntu3~18.04.0

---------------
ec2-instance-connect (1.1.12+dfsg1-0ubuntu3~18.04.0) bionic; urgency=medium

  * Rebuild for Bionic

ec2-instance-connect (1.1.12+dfsg1-0ubuntu3) focal; urgency=medium

  * debian/preinst: Don't remove ec2-instance-connect.conf manually on upgrade
  * debian/prerm: Drop obsolete file

ec2-instance-connect (1.1.12+dfsg1-0ubuntu2) focal; urgency=medium

  * Ship ssh.service drop-in instead of handling placement in maintainer scripts
    (LP: #1861909)

ec2-instance-connect (1.1.12+dfsg1-0ubuntu1) focal; urgency=medium

  [ Balint Reczey ]
  * New upstream version 1.1.11:
    - Removing errant write to /tmp
    - Cleaning up bad bash practices, including umask race condition
    - Fix for an update to openssl (or dependencies) affecting behavior
      of CApath option on openssl verify
    - Fixing Nitro behavior of hostkey harvesting
    - Adding additional licensing headers
  * New upstream version 1.1.12 (LP: #1860142):
    - Adding support for Instance Metadata Service Version 2
    - Modifying cURL invocation to avoid need for eval
    - Cleaning up shellcheck catches
  * debian/install: Adjust for new upstream source layout
  * Suppress systemctl messages and ignore error in maintainer scripts
  * Bump compat level to 10

  [ LordAlfredo ]
  * Rely on debhelper to enable and start systemd service

 -- Balint Reczey <email address hidden> Mon, 10 Feb 2020 21:26:44 +0100

Changed in ec2-instance-connect (Ubuntu Bionic):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ec2-instance-connect - 1.1.12+dfsg1-0ubuntu3~16.04.0

---------------
ec2-instance-connect (1.1.12+dfsg1-0ubuntu3~16.04.0) xenial; urgency=medium

  * Rebuild for Xenial

ec2-instance-connect (1.1.12+dfsg1-0ubuntu3) focal; urgency=medium

  * debian/preinst: Don't remove ec2-instance-connect.conf manually on upgrade
  * debian/prerm: Drop obsolete file

ec2-instance-connect (1.1.12+dfsg1-0ubuntu2) focal; urgency=medium

  * Ship ssh.service drop-in instead of handling placement in maintainer scripts
    (LP: #1861909)

ec2-instance-connect (1.1.12+dfsg1-0ubuntu1) focal; urgency=medium

  [ Balint Reczey ]
  * New upstream version 1.1.11:
    - Removing errant write to /tmp
    - Cleaning up bad bash practices, including umask race condition
    - Fix for an update to openssl (or dependencies) affecting behavior
      of CApath option on openssl verify
    - Fixing Nitro behavior of hostkey harvesting
    - Adding additional licensing headers
  * New upstream version 1.1.12 (LP: #1860142):
    - Adding support for Instance Metadata Service Version 2
    - Modifying cURL invocation to avoid need for eval
    - Cleaning up shellcheck catches
  * debian/install: Adjust for new upstream source layout
  * Suppress systemctl messages and ignore error in maintainer scripts
  * Bump compat level to 10

  [ LordAlfredo ]
  * Rely on debhelper to enable and start systemd service

 -- Balint Reczey <email address hidden> Mon, 10 Feb 2020 21:26:44 +0100

Changed in ec2-instance-connect (Ubuntu Xenial):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.