Ubuntu on EC2

ec2-init: ec2-fetch-credentials "setup_root_user" code cleanup

Bug #407950 reported by Eric Hammond
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
EC2 init scripts
Invalid
Undecided
Unassigned
Ubuntu on EC2
Invalid
Medium
Unassigned
ec2-init (Ubuntu)
Fix Released
Medium
Unassigned

Bug Description

This report applies to the code found in the dev testing ami-af3fdec6

The "setup_root_user" code in /usr/sbin/ec2-fetch-credentials is confusing and the error messages are possibly wrong and/or offensive.

If the file /etc/ec2-init/ec2-config.cfg contains
    DISABLE_ROOT="1"
then the code sets up an informational rejection message if an ssh to root is attempted and succeeds using the ec2 keypair used to start the instance. This seems fine.

If the file contains
    DISABLE_ROOT="0"
then the code prints
    "You choose to disable the root user, god help you."
and does nothing else.

- Why should DISABLE_ROOT="0" *disable* the root user as the message is claiming?

- What does it mean to disable the root user? or enable the root user? This condition is not doing anything.

- Neither option is *enabling* ssh to the root user. Is it supposed to?

- Why would disabling ssh to the root user be a bad thing? Isn't this the default approach used for security?

- Even if this were an appropriate place to express concern (and it's not obvious to me that it is), "god help you" still may be inappropriate language for a distro which tries to be inclusive.

- The next case has the line:
      print "%s - I dont understand that opion."
I'm not a Python programmer, but I've always seen a matching % argument when there is a "%s". Is there something missing here?

- Are the format and options for /etc/ec2-init/ec2-config.cfg documented somewhere?

- The code contains a "checkServer" function which does not appear to be called.

Related branches

lp:ubuntu/karmic/ec2-init
Chuck Short (zulcss)
Changed in ubuntu-on-ec2:
status: New → Confirmed
importance: Undecided → Medium
Chuck Short (zulcss)
Changed in ec2-init:
status: New → Confirmed
Revision history for this message
Scott Moser (smoser) wrote :

The 'ec2-fetch-credentials' program has been substantially re-written.

> If the file /etc/ec2-init/ec2-config.cfg contains
> DISABLE_ROOT="1"

The format /etc/ec2-init/ec2-config.cfg has been changed. Rather than shell-like syntax, it is now in ConfigParser syntax (read by ConfigObj).

The above declaration is now:
  disable_root=1

The purpose of this option is to control whether or not access to the instance's root account can be gained directly by use of a public/private registered to the instance (with 'ec2-run-instances -k').

> If the file contains
> DISABLE_ROOT="0"
> then the code prints
> "You choose to disable the root user, god help you."
> and does nothing else.

'disable_root=0' will now write the key directly to /root/.ssh/authorized_keys without a 'command=' prefix.

One thing to note, is that if a key registered to the instance matches one that already exists in /root/.ssh/authorized_keys, then the code will simply append to the file. In my testing, the first key that matches is used by sshd, and thus the appended (disabled or enabled) root keys will not change anything.

Soren, you have thoughts on this? Essentially if keys exist in /root/.ssh/authorized_keys already exist, disable_root setting is useless.

> - Why should DISABLE_ROOT="0" *disable* the root user as the message is
> claiming?

the inverted logic has now been fixed. disable_root=1 will disable ssh key based auth for the root user.

> - What does it mean to disable the root user? or enable the root user? This
> condition is not doing anything.

Should we re-name this key? maybe 'enable_root_via_ec2_ssh_key' ?

> - Neither option is *enabling* ssh to the root user. Is it supposed to?

Outside of the bug mentioned above 'disable_root=1' disables ssh in as root, and 'disable_root=0' will allow root in with the public_keys

> - Even if this were an appropriate place to express concern (and it's not
> obvious to me that it is), "god help you" still may be inappropriate
> language for a distro which tries to be inclusive.

The message is now simply:
  Please login as the ubuntu user rather than root user.

> - The next case has the line:
> print "%s - I dont understand that opion."
> I'm not a Python programmer, but I've always seen a matching % argument
> when there is a "%s". Is there something missing here?

no longer present.

> - Are the format and options for /etc/ec2-init/ec2-config.cfg documented
> somewhere?

No.

> - The code contains a "checkServer" function which does not appear to be
> called.

removed

Scott Moser (smoser)
tags: added: ec2-images uec-images
Scott Moser (smoser)
Changed in ec2-init (Ubuntu):
status: New → Confirmed
importance: Undecided → Medium
Changed in ubuntu-on-ec2:
status: Confirmed → Invalid
Eric Hammond (esh)
Changed in ec2-init:
status: Confirmed → Invalid
Revision history for this message
Scott Moser (smoser) wrote :

The only remaining issues per my comment 1 are:

a. ec2-init simply appends to /root/.ssh/authorized_keys for root. If the key
  it is adding already exists in that file, then it disabling or enabling login
  will have no effect.

b. Should disable_root be renamed to 'enable_root_via_ec2_ssh_key' or something
  that more correctly/verbosely describes what it is doing?

c. There needs to be documentation for /etc/ec2-init/ec2-config.cfg

I've opened a bug (bug 434076) to address A. I'm closing this bug as most issues raised have been fixed. Please feel free to open separate bugs for 'b' and 'c' above.

Changed in ec2-init (Ubuntu):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.