[Bug 1973114] Re: Key trust verification fails on Ubuntu 22.04
Fabio Augusto Miranda Martins
1973114 at bugs.launchpad.net
Fri May 13 14:19:32 UTC 2022
I also tested with mssh to make it works well:
When running ec2-instance-connect 1.1.14-0ubuntu1 (from Jammy) and
trying to connect with mssh:
fabio at fabio-canonical:~/.aws$ mssh ubuntu at i-0af3232b4fb6ed642
ubuntu at 3.91.56.142: Permission denied (publickey).
Due to the bug, we can see the key being pushed, but then the client
denying the connection:
https://pastebin.ubuntu.com/p/7StqsfQdJp/
Back in the instance, I've changed the sources.list to point to kinetic
repos and upgraded ec2-instance-connect to kinetic's version:
ubuntu at ip-10-0-1-226:~$ sudo apt-cache policy ec2-instance-connect
ec2-instance-connect:
Installed: 1.1.14-0ubuntu2
Candidate: 1.1.14-0ubuntu2
Version table:
*** 1.1.14-0ubuntu2 500
500 http://us-east-1.ec2.archive.ubuntu.com/ubuntu kinetic/main amd64 Packages
100 /var/lib/dpkg/status
And now mssh works fine:
fabio at fabio-canonical:~/.aws$ mssh ubuntu at i-0af3232b4fb6ed642
Welcome to Ubuntu 22.04 LTS (GNU/Linux 5.15.0-1004-aws x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Fri May 13 14:16:20 UTC 2022
System load: 0.2421875 Processes: 128
Usage of /: 21.1% of 7.58GB Users logged in: 1
Memory usage: 1% IPv4 address for eth0: 10.0.1.226
Swap usage: 0%
74 updates can be applied immediately.
To see these additional updates run: apt list --upgradable
Last login: Fri May 13 13:47:05 2022 from 189.19.160.174
ubuntu at ip-10-0-1-226:~$
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to ec2-instance-connect in Ubuntu.
https://bugs.launchpad.net/bugs/1973114
Title:
Key trust verification fails on Ubuntu 22.04
Status in ec2-instance-connect package in Ubuntu:
Fix Released
Status in ec2-instance-connect source package in Jammy:
New
Bug description:
[Impact]
========
Can't get EC2 instance connect to work on Ubuntu 22.04 due to what
seems to be an issue with trust chain verification. This is due to a
change in OpenSSL 3.0.2.
[Test Plan]
===========
To reproduce:
- Launch an EC2 instance with the current Ubuntu 22.04 AMI (e.g. ami-0aeb7c931a5a61206 in us-east-2).
- Try to connect to it via mssh ubuntu@<instance-id>.
- Observe that the command fails with "Permission denied (publickey)."
When using the --debug flag with mssh, I see that the public key is
pushed successfully, but the remote rejects the connection:
```
...
2022-05-06 09:10:58,549 - EC2InstanceConnect - DEBUG - Successfully got instance information from EC2 API for <instance-id>
...
2022-05-06 09:10:59,189 - EC2InstanceConnect - DEBUG - Successfully pushed the public key to <instance-id>
2022-05-06 09:10:59,190 - EC2InstanceConnect - DEBUG - Generated command: ssh -o "IdentitiesOnly=yes" -i /var/folders/30/xdglsm2j3tz1rn1n7yygtm7c0000gn/T/tmp33a253uf ubuntu@<ip>
ubuntu@<ip>: Permission denied (publickey).
2022-05-06 09:10:59,612 - EC2InstanceConnect - DEBUG - Deleting the private key file: /var/folders/30/xdglsm2j3tz1rn1n7yygtm7c0000gn/T/tmp33a253uf
```
On the instance side, the following error is logged:
```
AuthorizedKeysCommand /usr/share/ec2-instance-connect/eic_run_authorized_keys ubuntu SHA256:wiFxouWj6qQ0aUZ0CAcftWZqNEf3qj2LLicCfGFcQJY failed, status 2
```
[Where Problems Could Occur]
============================
The package is broken for 22.04 so not a lot of things can go wrong
there. However, if the user has done some manual workarounds, it could
break that. But chances are less, IMO. \o/
[Upstream Bug and Fix]
======================
https://github.com/aws/aws-ec2-instance-connect-config/issues/38
https://github.com/aws/aws-ec2-instance-connect-config/pull/39
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ec2-instance-connect/+bug/1973114/+subscriptions
More information about the foundations-bugs
mailing list