ec2: ssh public key fingerprint in console output does not match EC2 standards
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
ec2-init (Ubuntu) |
Fix Released
|
Low
|
Scott Moser | ||
Karmic |
Fix Released
|
Low
|
Scott Moser |
Bug Description
Binary package hint: ec2-init
ami-9733d0fe
ubuntu-
The Canonical images look like they are trying to match the ssh host key output in the console log using the format as set by Amazon which has become the defacto standard.
Here is the current format in Amazon's Fedora 8 AMI when console output is requested:
ec2: -----BEGIN SSH HOST KEY FINGERPRINTS-----
ec2: 2048 a6:7f:6a:
ec2: 2048 b6:57:b7:
ec2: 1024 62:47:49:
ec2: -----END SSH HOST KEY FINGERPRINTS-----
Here is the current format in the above Ubuntu AMI when console output is requested:
-----BEGIN SSH HOST KEY FINGERPRINTS-----
2048 2e:68:49:
1024 4b:99:0e:
-----END SSH HOST KEY FINGERPRINTS-----
Note the lack of "ec2: " in front of each line as well as the (RSA) and (DSA) appended.
Consider matching the Amazon standard format exactly so that tools which have been written to check the ssh host key for security would not need to be modified to also support a different format in the Canonical images.
The older (April) images from Canonical used to have the "ec2: " in the console output, so it looks like this was a more recent change.
ProblemType: Bug
Architecture: i386
Date: Thu Oct 22 21:30:29 2009
DistroRelease: Ubuntu 9.10
Ec2AMI: ami-9733d0fe
Ec2AMIManifest: ubuntu-
Ec2Availability
Ec2InstanceType: m1.small
Ec2Kernel: aki-f9c52690
Ec2Ramdisk: ari-9b33d0f2
Package: ec2-init 0.4.999-0ubuntu5
PackageArchitec
ProcEnviron:
LANG=en_US.UTF-8
SHELL=/bin/bash
ProcVersionSign
SourcePackage: ec2-init
Tags: ec2-images
Uname: Linux 2.6.31-302-ec2 i686
Related branches
Changed in ec2-init (Ubuntu Karmic): | |
status: | Triaged → In Progress |
assignee: | nobody → Scott Moser (smoser) |
Changed in ec2-init (Ubuntu Karmic): | |
milestone: | none → ubuntu-9.10 |
On Thu, 22 Oct 2009, Eric Hammond wrote:
> Here is the current format in Amazon's Fedora 8 AMI when console output a5:8a:7c: 26:45:46: ca:d9:d9: 8c:f2:64: 27 /etc/ssh/ ssh_host_ key.pub 52:4e:36: 94:ab:9c: ec:a1:b3: 56:71:80: e0 /etc/ssh/ ssh_host_ rsa_key. pub 82:83:9a: d8:1d:b8: c6:8f:dd: 4d:d8:9a: 2e /etc/ssh/ ssh_host_ dsa_key. pub 26:49:07: 67:31:f1: 33:92:18: 09:c3:6a: ae /etc/ssh/ ssh_host_ rsa_key. pub (RSA) 4a:a4:3e: b4:e5:ef: 42:5e:43: 07:93:91: a0 /etc/ssh/ ssh_host_ dsa_key. pub (DSA)
> is requested:
>
> ec2: -----BEGIN SSH HOST KEY FINGERPRINTS-----
> ec2: 2048 a6:7f:6a:
> ec2: 2048 b6:57:b7:
> ec2: 1024 62:47:49:
> ec2: -----END SSH HOST KEY FINGERPRINTS-----
>
> Here is the current format in the above Ubuntu AMI when console output
> is requested:
>
> -----BEGIN SSH HOST KEY FINGERPRINTS-----
> 2048 2e:68:49:
> 1024 4b:99:0e:
> -----END SSH HOST KEY FINGERPRINTS-----
>
> Note the lack of "ec2: " in front of each line as well as the (RSA) and
> (DSA) appended.
For "(RSA)" or "(DSA)", I'm guessing this is a change in ssh-keygen ssh_host_ rsa_key. pub
versions that did this. The output you see is simply from
ssh-keygen -l -f /etc/ssh/
For "ec2:", that used to get to the console because we sent the output of
the above ssh-keygen through 'logger -s -t ec2'. In bug 451881 I changed
that to go directly to /dev/console.
ssh-keygen -> logger -s ec2 produced "ec2:" prefixed text to stderr. In
the beta, stderr and stdout of the sysvinit scripts went to /dev/console
(and thus to logs).
Upstart changed the behavior, putting stdout and stderr to /dev/null (or
somewhere not the console), to reach the goal of "no console output in
boot".
I saw at least the following options for fixing this: ssh_host_ keys 2>&1 | tee /dev/console |
a.) configure syslog to to /dev/console , and send output to it via
'logger'
b.) write directly to /dev/console (via tee) keeping info going to
syslog throught tee. Ie:
regenerate_
logger -p user.info -s -t "ec2"
I decided against 'a' because that isn't how we had things configured
before. It would absolutely result in *more* text going to console, and
at this point I wanted to have smallest set of changes. Also, we have
no guarantee that rsyslog will even be up at the point in which ec2-init
runs. I decided to write to /dev/console to be sure to get the text
there.
I now see that we can get the 'ec2:' prefix back by switching the order: ssh_host_ keys 2>&1 |
regenerate_
logger -p user.info -s -t "ec2" 2>&1 |
tee /dev/console
I've verified that logger will copy input to output even if rsyslog is
not up. So, I think the above change would be good to get us 'ec2:'
back.
Regarding '(RSA)' or '(DSA)', I think thats something we live with.