Ubuntu
ec2-init package

ec2-fetch-credentials lists "ubuntu" user in root authorized_keys even if ec2-config.cfg specifies another

Bug #506981 reported by Eric Hammond
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
ec2-init (Ubuntu)
Fix Released
Low
Scott Moser

Bug Description

Binary package hint: ec2-init

When building a new EC2 AMI using either vmbuilder or a pre-built Canonical image, there are a couple options which can be tweaked in the /etc/ec2-init/ec2-config.cfg file. One of these options is "user" which defaults to "ubuntu".

When the "user" is set to another username, say "bilbo", then ec2-fetch-credentials correctly installs the authorized_keys in the bilbo home .ssh directory on first boot.

However, when you ssh to root@ the new EC2 instance, you always get the message:

  Please login as the ubuntu user rather than root user.

This message should be customized in ec2-fetch-credentials so that it uses the same username as was specified in the config file, i.e.,

  Please login as the bilbo user rather than root user.

While you're on this line of code, it might be nice to make the use of "the" consistent and perhaps even add quotes to reduce confusion about odd usernames. Proposal:

  Please login as the user "bilbo" rather than the user "root".

ProblemType: Bug
Architecture: i386
Date: Wed Jan 13 09:33:17 2010
DistroRelease: Ubuntu 9.10
Ec2AMI: ami-1515f67c
Ec2AMIManifest: ubuntu-images-us/ubuntu-karmic-9.10-i386-server-20091027.1.manifest.xml
Ec2AvailabilityZone: us-east-1a
Ec2InstanceType: m1.small
Ec2Kernel: aki-5f15f636
Ec2Ramdisk: ari-0915f660
Package: ec2-init 0.4.999-0ubuntu7
PackageArchitecture: all
ProcEnviron:
 LANG=en_US.UTF-8
 SHELL=/bin/bash
ProcVersionSignature: User Name 2.6.31-302.7-ec2
SourcePackage: ec2-init
Tags: ec2-images
Uname: Linux 2.6.31-302-ec2 i686

Revision history for this message
Eric Hammond (esh) wrote :
Revision history for this message
Scott Moser (smoser) wrote :

> When the "user" is set to another username, say "bilbo", then ec2-fetch-
> credentials correctly installs the authorized_keys in the bilbo home
> .ssh directory on first boot.
>
> However, when you ssh to root@ the new EC2 instance, you always get the
> message:
>
> Please login as the ubuntu user rather than root user.

Hmm... That could be fixed, but I wonder if in general this is a bad idea.
The message informs an attacker of a valid user on the system.

Revision history for this message
Eric Hammond (esh) wrote :

Scott: Fair point. Perhaps if it is not "ubuntu", then we assume the AMI builder knows what they are doing and we completely disable root ssh by not updating /root/.ssh/authorized_keys (assuming root really is disabled in the config). I still think it's a bug that it points the user to "ubuntu" when that account does not exist.

Revision history for this message
Scott Moser (smoser) wrote : Re: [Bug 506981] Re: ec2-fetch-credentials lists "ubuntu" user in root authorized_keys even if ec2-config.cfg specifies another

On Wed, 13 Jan 2010, Eric Hammond wrote:

> Scott: Fair point. Perhaps if it is not "ubuntu", then we assume the
> AMI builder knows what they are doing and we completely disable root ssh
> by not updating /root/.ssh/authorized_keys (assuming root really is
> disabled in the config). I still think it's a bug that it points the
> user to "ubuntu" when that account does not exist.

What about changing the message to always say "try logging in with the
configured user per your documentation" ? Ie, never give an 'ubuntu'
hint.

Revision history for this message
Eric Hammond (esh) wrote : Re: [Bug 506981] Re: ec2-fetch-credentials lists "ubuntu" user in root authorized_keys even if ec2-config.cfg specifies another

On second thought, you only get this notice if you are able to ssh to the root account with the correct private ssh key, so it's not much of a security risk to point out the username at that point.

I have seen the "ubuntu" user message help new users of the Ubuntu AMIs, so I would keep that information.

If they've reconfigured the username, then it's fine to remind them of the it, or simply to return a rejection on root@, even though they're using the right ssh key. I don't even have a preferance. Probably just do whatever is easiest to implement.

Revision history for this message
Scott Moser (smoser) wrote :

This is fixed in ec2-init 0.5.1

Changed in ec2-init (Ubuntu):
assignee: nobody → Scott Moser (smoser)
importance: Undecided → Low
status: New → Fix Released
Revision history for this message
ProRunner (mrprorunner) wrote :

I second the idea of adding the quotes to the username. The present warning makes very little sense to the person unfamiliar with Linux, like me.

Please login as the "ubuntu" user rather than "root" user.
I spend a good half an hour trying to find what should I do to login to the system.

I'm sure it affects many people as Amazon Console currently says to login as "root" user after launching Ubuntu instance.

Revision history for this message
Eric Hammond (esh) wrote :

ProRunner: You are adding a comment to a closed ticket, so it there is likely no action going to be take on it.

I have created bug #672417 to which you are welcome to subscribe.

Revision history for this message
ProRunner (mrprorunner) wrote :

Eric Hammond: Thank you. Commenting on the closed ticked turned out to be the best way to open the new, right and detailed one :)

Revision history for this message
Eric Hammond (esh) wrote :

ProRunner: Is there an emoticon for sticking your tongue out at somebody? :)

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.