[Bug 1860142] Re: Please update ec2-instance-connect to 1.1.12 release

Balint Reczey balint.reczey at canonical.com
Thu Feb 27 17:35:56 UTC 2020 

Verified maintainer script warning on all releases:

root at bb-proposed:~#  grep AuthorizedKeysCommand /etc/ssh/sshd_config 
AuthorizedKeysCommand /bin/false
#AuthorizedKeysCommandUser nobody
root at bb-proposed:~# apt install -qq ec2-instance-connect 
The following package was automatically installed and is no longer required:
  libfreetype6
Use 'apt autoremove' to remove it.
The following NEW packages will be installed:
  ec2-instance-connect
0 upgraded, 1 newly installed, 0 to remove and 76 not upgraded.
Need to get 12.6 kB of archives.
After this operation, 57.3 kB of additional disk space will be used.
Selecting previously unselected package ec2-instance-connect.
(Reading database ... 36957 files and directories currently installed.)
Preparing to unpack .../ec2-instance-connect_1.1.12+dfsg1-0ubuntu3~18.04.0_all.deb ...
Created system user ec2-instance-connect
Unpacking ec2-instance-connect (1.1.12+dfsg1-0ubuntu3~18.04.0) ...
Setting up ec2-instance-connect (1.1.12+dfsg1-0ubuntu3~18.04.0) ...
Created symlink /etc/systemd/system/multi-user.target.wants/ec2-instance-connect.service → /lib/systemd/system/ec2-
instance-connect.service.
Job for ec2-instance-connect.service failed because the control process exited with error code.
See "systemctl status ec2-instance-connect.service" and "journalctl -xe" for details.
ERROR: Not restarting ssh because /etc/ssh/sshd_config already sets
ERROR: AuthorizedKeysCommand*, which is also set by
ERROR: /lib/systemd/system/ssh.service.d/ec2-instance-connect.conf.
Please restart ssh manually if the configuration is correct.
root at bb-proposed:~# 


root at ee-proposed:~#  grep AuthorizedKeysCommand /etc/ssh/sshd_config 
AuthorizedKeysCommand /bin/false
#AuthorizedKeysCommandUser nobody
root at ee-proposed:~#  apt install -qq ec2-instance-connect 
The following packages were automatically installed and are no longer required:
  command-not-found-data libdumbnet1 libidn11 libip4tc0 libip6tc0 multiarch-support
Use 'apt autoremove' to remove them.
The following NEW packages will be installed:
  ec2-instance-connect
0 upgraded, 1 newly installed, 0 to remove and 34 not upgraded.
Need to get 12.6 kB of archives.
After this operation, 57.3 kB of additional disk space will be used.
Selecting previously unselected package ec2-instance-connect.
(Reading database ... 32593 files and directories currently installed.)
Preparing to unpack .../ec2-instance-connect_1.1.12+dfsg1-0ubuntu3~19.10.0_all.deb ...
Created system user ec2-instance-connect
Unpacking ec2-instance-connect (1.1.12+dfsg1-0ubuntu3~19.10.0) ...
Setting up ec2-instance-connect (1.1.12+dfsg1-0ubuntu3~19.10.0) ...
Created symlink /etc/systemd/system/multi-user.target.wants/ec2-instance-connect.service → /lib/systemd/system/ec2-
instance-connect.service.
Job for ec2-instance-connect.service failed because the control process exited with error code.
See "systemctl status ec2-instance-connect.service" and "journalctl -xe" for details.
ERROR: Not restarting ssh because /etc/ssh/sshd_config already sets
ERROR: AuthorizedKeysCommand*, which is also set by
ERROR: /lib/systemd/system/ssh.service.d/ec2-instance-connect.conf.
Please restart ssh manually if the configuration is correct.
root at ee-proposed:~# 


root at x-proposed:~# grep AuthorizedKeysCommand /etc/ssh/sshd_config 
AuthorizedKeysCommand /bin/false
root at x-proposed:~#  apt install -qq ec2-instance-connect 
The following package was automatically installed and is no longer required:
  libfreetype6
Use 'apt autoremove' to remove it.
The following NEW packages will be installed:
  ec2-instance-connect
0 upgraded, 1 newly installed, 0 to remove and 56 not upgraded.
Need to get 12.5 kB of archives.
After this operation, 56.3 kB of additional disk space will be used.
Selecting previously unselected package ec2-instance-connect.
(Reading database ... 25741 files and directories currently installed.)
Preparing to unpack .../ec2-instance-connect_1.1.12+dfsg1-0ubuntu3~16.04.0_all.deb ...
Created system user ec2-instance-connect
Unpacking ec2-instance-connect (1.1.12+dfsg1-0ubuntu3~16.04.0) ...
Setting up ec2-instance-connect (1.1.12+dfsg1-0ubuntu3~16.04.0) ...
Job for ec2-instance-connect.service failed because the control process exited with error code. See "systemctl stat
us ec2-instance-connect.service" and "journalctl -xe" for details.
ec2-instance-connect.service couldn't start.
ERROR: Not restarting ssh because /etc/ssh/sshd_config already sets
ERROR: AuthorizedKeysCommand*, which is also set by
ERROR: /lib/systemd/system/ssh.service.d/ec2-instance-connect.conf.
Please restart ssh manually if the configuration is correct.
root at x-proposed:~#

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to ec2-instance-connect in Ubuntu.
https://bugs.launchpad.net/bugs/1860142

Title:
  Please update ec2-instance-connect to 1.1.12 release

Status in ec2-instance-connect package in Ubuntu:
  Fix Released
Status in ec2-instance-connect source package in Xenial:
  Fix Committed
Status in ec2-instance-connect source package in Bionic:
  Fix Committed
Status in ec2-instance-connect source package in Disco:
  Won't Fix
Status in ec2-instance-connect source package in Eoan:
  Fix Committed

Bug description:
  [Impact]

  New upstream release of the package providing SSH access to instances;
  available to any AWS users. The most notable new feature is supporting
  Instance Metadata Service Version 2, but since the release included
  major rewrite which honored on Security Team's input the package is
  backported in full.

  [Test Cases]
  This is manually tested by Amazon:

  0) Deploy an Amazon AWS instance with Instance Connect feature enabled
  1) Install the previous version of the ec2-instance-connect package
  2) Verify that the sshd process has been restarted with the changed command-line, now including "AuthorizedKeysCommand*" options.
  3) Attempt to connect to the instance using a SSH key that is known by the Instance Connect service.
  4) Upgrade to the new version of the package
  5) Attempt to connect to the instance using a SSH key that is known by the Instance Connect service.
  6) Purge the ec2-instance-connect package
  7) Configure the instance to use IMDSv2
  8) Install the new ec2-instance-connect again and verify that is working again (steps 2 and 3)

  
  [Regression Potential]
  Limited to SSH access on instances where the package gets installed. This package will be installed by default for a new service called "Instance Connect" provided to AWS customers. In the case of an issue, things to watch out for would be for some keys to not be usable to connect to the instance when they are expected to be, as the list of authorized keys is collated by the service to include both the usual authorized_keys contents, as well as keys provided by the Instance Connect service.

  The package upgrade is covered in the test case.

  [Other Info]
  The source difference for the SRUs contain a lot of extra files because the source now contains almost the full upstream tarball, but the difference between the binary packages is still minimal and it maybe easier to reviewing that difference.

  Disco SRU is skipped because it goes EOL before the aging of the
  package would finish.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ec2-instance-connect/+bug/1860142/+subscriptions

More information about the foundations-bugs mailing list