[Bug 1973114] Re: Key trust verification fails on Ubuntu 22.04

Tue May 17 16:03:10 UTC 2022

Hello Utkarsh, or anyone else affected,

Accepted ec2-instance-connect into jammy-proposed. The package will
build now and be available at
https://launchpad.net/ubuntu/+source/ec2-instance-
connect/1.1.14-0ubuntu1.1 in a few hours, and then in the -proposed
repository.

Please help us by testing this new package.  See
https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how
to enable and use -proposed.  Your feedback will aid us getting this
update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug,
mentioning the version of the package you tested, what testing has been
performed on the package and change the tag from verification-needed-
jammy to verification-done-jammy. If it does not fix the bug for you,
please add a comment stating that, and change the tag to verification-
failed-jammy. In either case, without details of your testing we will
not be able to proceed.

Further information regarding the verification process can be found at
https://wiki.ubuntu.com/QATeam/PerformingSRUVerification .  Thank you in
advance for helping!

N.B. The updated package will be released to -updates after the bug(s)
fixed by this package have been verified and the package has been in
-proposed for a minimum of 7 days.

** Changed in: ec2-instance-connect (Ubuntu Jammy)
       Status: New => Fix Committed

** Tags added: verification-needed verification-needed-jammy

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to ec2-instance-connect in Ubuntu.
https://bugs.launchpad.net/bugs/1973114

Title:
   Key trust verification fails on Ubuntu 22.04

Status in ec2-instance-connect package in Ubuntu:
  Fix Released
Status in ec2-instance-connect source package in Jammy:
  Fix Committed

Bug description:
  [Impact]
  ========

  Can't get EC2 instance connect to work on Ubuntu 22.04 due to what
  seems to be an issue with trust chain verification. This is due to a
  change in OpenSSL 3.0.2.

  [Test Plan]
  ===========

  To reproduce:

  - Launch an EC2 instance with the current Ubuntu 22.04 AMI (e.g. ami-0aeb7c931a5a61206 in us-east-2).
  - Try to connect to it via mssh ubuntu@<instance-id>.
  - Observe that the command fails with "Permission denied (publickey)."

  When using the --debug flag with mssh, I see that the public key is
  pushed successfully, but the remote rejects the connection:

  ```
  ...
  2022-05-06 09:10:58,549 - EC2InstanceConnect - DEBUG - Successfully got instance information from EC2 API for <instance-id>
  ...
  2022-05-06 09:10:59,189 - EC2InstanceConnect - DEBUG - Successfully pushed the public key to <instance-id>
  2022-05-06 09:10:59,190 - EC2InstanceConnect - DEBUG - Generated command: ssh -o "IdentitiesOnly=yes" -i /var/folders/30/xdglsm2j3tz1rn1n7yygtm7c0000gn/T/tmp33a253uf ubuntu@<ip>
  ubuntu@<ip>: Permission denied (publickey).
  2022-05-06 09:10:59,612 - EC2InstanceConnect - DEBUG - Deleting the private key file: /var/folders/30/xdglsm2j3tz1rn1n7yygtm7c0000gn/T/tmp33a253uf
  ```

  On the instance side, the following error is logged:

  ```
  AuthorizedKeysCommand /usr/share/ec2-instance-connect/eic_run_authorized_keys ubuntu SHA256:wiFxouWj6qQ0aUZ0CAcftWZqNEf3qj2LLicCfGFcQJY failed, status 2
  ```

  [Where Problems Could Occur]
  ============================

  The package is broken for 22.04 so not a lot of things can go wrong
  there. However, if the user has done some manual workarounds, it could
  break that. But chances are less, IMO. \o/

  [Upstream Bug and Fix]
  ======================

  https://github.com/aws/aws-ec2-instance-connect-config/issues/38 
  https://github.com/aws/aws-ec2-instance-connect-config/pull/39

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ec2-instance-connect/+bug/1973114/+subscriptions