[Bug 1861909] Re: Please ship ec2-instance-connect.conf instead of creating it in postinst

Balint Reczey balint.reczey at canonical.com
Thu Feb 27 17:36:51 UTC 2020 

Verified maintainer script warning on all releases:

root at bb-proposed:~# grep AuthorizedKeysCommand /etc/ssh/sshd_config
AuthorizedKeysCommand /bin/false
#AuthorizedKeysCommandUser nobody
root at bb-proposed:~# apt install -qq ec2-instance-connect
The following package was automatically installed and is no longer required:
  libfreetype6
Use 'apt autoremove' to remove it.
The following NEW packages will be installed:
  ec2-instance-connect
0 upgraded, 1 newly installed, 0 to remove and 76 not upgraded.
Need to get 12.6 kB of archives.
After this operation, 57.3 kB of additional disk space will be used.
Selecting previously unselected package ec2-instance-connect.
(Reading database ... 36957 files and directories currently installed.)
Preparing to unpack .../ec2-instance-connect_1.1.12+dfsg1-0ubuntu3~18.04.0_all.deb ...
Created system user ec2-instance-connect
Unpacking ec2-instance-connect (1.1.12+dfsg1-0ubuntu3~18.04.0) ...
Setting up ec2-instance-connect (1.1.12+dfsg1-0ubuntu3~18.04.0) ...
Created symlink /etc/systemd/system/multi-user.target.wants/ec2-instance-connect.service → /lib/systemd/system/ec2-
instance-connect.service.
Job for ec2-instance-connect.service failed because the control process exited with error code.
See "systemctl status ec2-instance-connect.service" and "journalctl -xe" for details.
ERROR: Not restarting ssh because /etc/ssh/sshd_config already sets
ERROR: AuthorizedKeysCommand*, which is also set by
ERROR: /lib/systemd/system/ssh.service.d/ec2-instance-connect.conf.
Please restart ssh manually if the configuration is correct.
root at bb-proposed:~#

root at ee-proposed:~# grep AuthorizedKeysCommand /etc/ssh/sshd_config
AuthorizedKeysCommand /bin/false
#AuthorizedKeysCommandUser nobody
root at ee-proposed:~# apt install -qq ec2-instance-connect
The following packages were automatically installed and are no longer required:
  command-not-found-data libdumbnet1 libidn11 libip4tc0 libip6tc0 multiarch-support
Use 'apt autoremove' to remove them.
The following NEW packages will be installed:
  ec2-instance-connect
0 upgraded, 1 newly installed, 0 to remove and 34 not upgraded.
Need to get 12.6 kB of archives.
After this operation, 57.3 kB of additional disk space will be used.
Selecting previously unselected package ec2-instance-connect.
(Reading database ... 32593 files and directories currently installed.)
Preparing to unpack .../ec2-instance-connect_1.1.12+dfsg1-0ubuntu3~19.10.0_all.deb ...
Created system user ec2-instance-connect
Unpacking ec2-instance-connect (1.1.12+dfsg1-0ubuntu3~19.10.0) ...
Setting up ec2-instance-connect (1.1.12+dfsg1-0ubuntu3~19.10.0) ...
Created symlink /etc/systemd/system/multi-user.target.wants/ec2-instance-connect.service → /lib/systemd/system/ec2-
instance-connect.service.
Job for ec2-instance-connect.service failed because the control process exited with error code.
See "systemctl status ec2-instance-connect.service" and "journalctl -xe" for details.
ERROR: Not restarting ssh because /etc/ssh/sshd_config already sets
ERROR: AuthorizedKeysCommand*, which is also set by
ERROR: /lib/systemd/system/ssh.service.d/ec2-instance-connect.conf.
Please restart ssh manually if the configuration is correct.
root at ee-proposed:~#

root at x-proposed:~# grep AuthorizedKeysCommand /etc/ssh/sshd_config
AuthorizedKeysCommand /bin/false
root at x-proposed:~# apt install -qq ec2-instance-connect
The following package was automatically installed and is no longer required:
  libfreetype6
Use 'apt autoremove' to remove it.
The following NEW packages will be installed:
  ec2-instance-connect
0 upgraded, 1 newly installed, 0 to remove and 56 not upgraded.
Need to get 12.5 kB of archives.
After this operation, 56.3 kB of additional disk space will be used.
Selecting previously unselected package ec2-instance-connect.
(Reading database ... 25741 files and directories currently installed.)
Preparing to unpack .../ec2-instance-connect_1.1.12+dfsg1-0ubuntu3~16.04.0_all.deb ...
Created system user ec2-instance-connect
Unpacking ec2-instance-connect (1.1.12+dfsg1-0ubuntu3~16.04.0) ...
Setting up ec2-instance-connect (1.1.12+dfsg1-0ubuntu3~16.04.0) ...
Job for ec2-instance-connect.service failed because the control process exited with error code. See "systemctl stat
us ec2-instance-connect.service" and "journalctl -xe" for details.
ec2-instance-connect.service couldn't start.
ERROR: Not restarting ssh because /etc/ssh/sshd_config already sets
ERROR: AuthorizedKeysCommand*, which is also set by
ERROR: /lib/systemd/system/ssh.service.d/ec2-instance-connect.conf.
Please restart ssh manually if the configuration is correct.
root at x-proposed:~#


** Tags removed: one one-eoan verification-dverification-needed-bionic verification-needed verification-needed-bionic verification-needed-xenial
** Tags added: verification-done verification-done-bionic

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to ec2-instance-connect in Ubuntu.
https://bugs.launchpad.net/bugs/1861909

Title:
  Please ship ec2-instance-connect.conf instead of creating it in
  postinst

Status in ec2-instance-connect package in Ubuntu:
  Fix Released
Status in ec2-instance-connect source package in Xenial:
  Fix Committed
Status in ec2-instance-connect source package in Bionic:
  Fix Committed
Status in ec2-instance-connect source package in Eoan:
  Fix Committed

Bug description:
  [Impact]

   * The ssh.service drop-in is placed and removed in maintainer scripts
  based on the current ssh configuration checks which are incomplete.
  The drop-in is also not owned by the package.

  [Test Case]

   * Install the fixed package. The drop-in should be listed among the package's files:
  $ dpkg -L ec2-instance-connect 
  ...
  /lib/systemd/system/ssh.service.d/ec2-instance-connect.conf
  ...

  * Upgrade package from previous version. The drop-in should replace
  the old one.

  * Change /etc/ssh/sshd_config to set AuthorizedKeysCommand
    Install the fixed package. A warning should appear and sshd should not be restarted by the package's maintainer scripts.

  [Regression Potential]

  * The change is made to make installation and upgrades more reliable. The test cases check package installs and upgrades where regressions could happen due to implementation mistakes.
  * The unfixed version of the package did not place the drop-in when it detected setting AuthorizedKeysCommand in sshd_conf, while the fixed version installs the drop-in, just does not restart the ssh service. This can block users from logging in via ssh if only the sshd_conf's AuthorizedKeysCommand configuration enabled their login and the ssh service got restarted after installing/upgrading ec2-instance-connect.
  This is a known change in behavior and is mitigated by showing a warning when this potentially problematic configuration is detected. It is also worth noting that in case the drop-in overrides the configuration in sshd_conf it is still possible to log in via EC2 Instance Connect, the login method the package enables.

  [Other Info]

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ec2-instance-connect/+bug/1861909/+subscriptions

More information about the foundations-bugs mailing list