Ubuntu
ec2-init package

ssh keys not regenerated on first boot

Bug #507070 reported by Scott Moser
12
This bug affects 2 people
Affects Status Importance Assigned to Milestone
ec2-init (Ubuntu)
Fix Released
High
Unassigned
Ubuntu lucid-alpha-3
Lucid
Fix Released
High
Unassigned
Ubuntu lucid-alpha-3

Bug Description

Binary package hint: ec2-init

The ssh keys are not being regenerated on first boot in the current ec2/uec images.

Verify by launching 2 instances, and then sshing with:

ssh -i path-to-your-key -o CheckHostIP=no -o StrictHostKeyChecking=no \
  -o UserKnownHostsFile=my-knownhosts.txt

You'll see that my-knownhosts.txt has the same key for both new instances.

ProblemType: Bug
Architecture: amd64
Date: Wed Jan 13 16:50:23 2010
DistroRelease: Ubuntu 10.04
Ec2AMI: ami-e7f5de93
Ec2AMIManifest: ubuntu-images-testing-eu/ubuntu-lucid-daily-amd64-server-20100113.manifest.xml
Ec2AvailabilityZone: eu-west-1b
Ec2InstanceType: m1.large
Ec2Kernel: aki-97fdd6e3
Ec2Ramdisk: ari-e5f5de91
Package: ec2-init 0.5.0-0ubuntu3
PackageArchitecture: all
ProcEnviron:
 LANG=en_GB.UTF-8
 SHELL=/bin/bash
ProcVersionSignature: User Name 2.6.32-301.4-ec2
SourcePackage: ec2-init
Tags: lucid ec2-images
Uname: Linux 2.6.32-301-ec2 x86_64

Revision history for this message
Scott Moser (smoser) wrote :
Changed in ec2-init (Ubuntu):
milestone: none → lucid-alpha-3
Ubuntu QA Website (ubuntuqa)
tags: added: iso-testing
Revision history for this message
Eric Hammond (esh) wrote :

I have confirmed that this is an issue for the latest daily Lucid AMI:

  ami-5936db30
  ubuntu-images-testing-us/ubuntu-lucid-daily-i386-server-20100113.manifest.xml

  ubuntu@domU-12-31-39-04-08-B2:~$ ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key
  2048 15:46:e4:66:e3:60:b8:89:fe:d3:65:aa:7a:77:4e:cd /etc/ssh/ssh_host_rsa_key.pub (RSA)

  ubuntu@domU-12-31-39-04-08-65:~$ ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key
  2048 15:46:e4:66:e3:60:b8:89:fe:d3:65:aa:7a:77:4e:cd /etc/ssh/ssh_host_rsa_key.pub (RSA)

I have confirmed that this is *not* an issue for the released Karmic AMI:

  ami-1515f67c
  ubuntu-images-us/ubuntu-karmic-9.10-i386-server-20091027.1.manifest.xml

  ubuntu@domU-12-31-39-02-60-41:~$ ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key
  2048 33:d7:a2:7d:ba:96:b0:e3:d7:f2:2e:be:04:24:38:ed /etc/ssh/ssh_host_rsa_key.pub (RSA)

  ubuntu@domU-12-31-39-02-61-24:~$ ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key
  2048 4e:e1:93:4c:31:9a:c8:f7:c7:f4:b0:6a:56:e1:97:78 /etc/ssh/ssh_host_rsa_key.pub (RSA)

I did not test the latest daily Karmic AMI, but that should be checked before new Karmic AMIs are released.

I started the importance to "High" since this effectively makes ssh unencrypted to a man in the middle which is a serious security issue for people who care about security. (Yes, I realize that most users don't check fingerprints on EC2, but it should at least be possible to be secure.)

Changed in ec2-init (Ubuntu):
status: New → Confirmed
importance: Undecided → High
Revision history for this message
Scott Moser (smoser) wrote : Re: [Bug 507070] Re: ssh keys not regenerated on first boot

On Thu, 14 Jan 2010, Eric Hammond wrote:

> I have confirmed that this is an issue for the latest daily Lucid AMI:
..
> I have confirmed that this is *not* an issue for the released Karmic
..
> I did not test the latest daily Karmic AMI, but that should be checked
> before new Karmic AMIs are released.

You're right, it is only an issue with the 0.5.0 ec2-init. It will be
fixed for alpha3.

Revision history for this message
Scott Moser (smoser) wrote :

see linked branch above for a fix. please sponsor.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ec2-init - 0.5.0-0ubuntu4

---------------
ec2-init (0.5.0-0ubuntu4) lucid; urgency=low

  * add an upstart job to get ssh keys regenerated and written
    to console (LP: #506599, LP: #507070)
 -- Scott Moser <email address hidden> Thu, 14 Jan 2010 13:10:55 -0500

Changed in ec2-init (Ubuntu Lucid):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.