Tighten permissions on root@ ssh with EC2/UEC images

Bug #798505 reported by Eric Hammond
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
cloud-init (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

Binary package hint: cloud-init

The EC2/UEC images currently allow users to ssh to root@ but do not give the user shell access. Instead, a helpful message is displayed to the user explaining they need to ssh to ubuntu@ and they are disconnected after 10 seconds.

This is done with the following prefix in /root/.ssh/authorized_keys:

  command="echo 'Please login as the user \"ubuntu\" rather than the user \"root\".';echo;sleep 10" ssh-rsa ...

The goal here is to prevent the user from having any serious access at all through root@ and to just be a helpful pointer for people who assume all EC2 AMIs are set up to allow ssh to root@

Users may change the ssh keys associated with /home/ubuntu/.ssh/authorized_keys and not know about or forget about the fact that there is some access also granted through /root/.ssh/authorized_keys

The way that the /root/.ssh/authorized_keys file is currently implemented, an authorized user is blocked from shell access, but is granted some other permissions like doing port forwarding through the instance to anywhere that instance can connect. Hosts it connects to would also perceive the connection as coming from the instance.

These additional permissions should be blocked in /root/.ssh/authorized_keys by adding qualifiers like:

  no-port-forwarding,no-agent-forwarding,no-X11-forwarding,no-pty

These particular directives are based on best practices using subversion command= with ssh.

The resulting prefix would then look like:

  command="echo 'Please login as the user \"ubuntu\" rather than the user \"root\".';echo;sleep 10",no-port-forwarding,no-agent-forwarding,no-X11-forwarding,no-pty ssh-rsa ...

See the "command=" section in "man authorized_keys" for more details.

ProblemType: Bug
DistroRelease: Ubuntu 11.04
Package: cloud-init 0.6.1-0ubuntu8
ProcVersionSignature: User Name 2.6.38-8.42-virtual 2.6.38.2
Uname: Linux 2.6.38-8-virtual i686
Architecture: i386
Date: Fri Jun 17 02:08:02 2011
Ec2AMI: ami-06ad526f
Ec2AMIManifest: (unknown)
Ec2AvailabilityZone: us-east-1d
Ec2InstanceType: m1.small
Ec2Kernel: aki-407d9529
Ec2Ramdisk: unavailable
PackageArchitecture: all
ProcEnviron:
 LANG=en_US.UTF-8
 SHELL=/bin/bash
SourcePackage: cloud-init
UpgradeStatus: No upgrade log present (probably fresh install)

Related branches

Revision history for this message
Eric Hammond (esh) wrote :
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package cloud-init - 0.6.1-0ubuntu9

---------------
cloud-init (0.6.1-0ubuntu9) oneiric; urgency=low

  * sync with trunk (rev 404)
  * make metadata urls configurable, to support eucalyptus in
    STATIC or SYSTEM modes (LP: #761847)
  * support disabling byobu in cloud-config (LP: #797336)
  * guarantee that ssh_config runs before sshd starts (LP: #781101)
  * make prefix for keys added to /root/.ssh/authorized_keys configurable
    and add 'no-port-forwarding,no-agent-forwarding,no-X11-forwarding'
    to the default (LP: #798505)
  * make 'cloud-config ready' command configurable (LP: #785551)
  * make fstab fields used to 'fill in' shorthand mount entries configurable
    (LP: #785542)
  * read sshd_config to properly get path for authorized_keys (LP: #731849)
 -- Scott Moser <email address hidden> Fri, 17 Jun 2011 12:18:34 -0400

Changed in cloud-init (Ubuntu):
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.