[Bug 1861909] Re: Please ship ec2-instance-connect.conf instead of creating it in postinst
Łukasz Zemczak
1861909 at bugs.launchpad.net
Mon Feb 17 11:10:12 UTC 2020
Hello Balint, or anyone else affected,
Accepted ec2-instance-connect into bionic-proposed. The package will
build now and be available at https://launchpad.net/ubuntu/+source/ec2
-instance-connect/1.1.12+dfsg1-0ubuntu3~18.04.0 in a few hours, and then
in the -proposed repository.
Please help us by testing this new package. See
https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how
to enable and use -proposed. Your feedback will aid us getting this
update out to other Ubuntu users.
If this package fixes the bug for you, please add a comment to this bug,
mentioning the version of the package you tested and change the tag from
verification-needed-bionic to verification-done-bionic. If it does not
fix the bug for you, please add a comment stating that, and change the
tag to verification-failed-bionic. In either case, without details of
your testing we will not be able to proceed.
Further information regarding the verification process can be found at
https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in
advance for helping!
N.B. The updated package will be released to -updates after the bug(s)
fixed by this package have been verified and the package has been in
-proposed for a minimum of 7 days.
** Changed in: ec2-instance-connect (Ubuntu Bionic)
Status: New => Fix Committed
** Tags added: verification-needed-bionic
** Changed in: ec2-instance-connect (Ubuntu Xenial)
Status: New => Fix Committed
** Tags added: verification-needed-xenial
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to ec2-instance-connect in Ubuntu.
https://bugs.launchpad.net/bugs/1861909
Title:
Please ship ec2-instance-connect.conf instead of creating it in
postinst
Status in ec2-instance-connect package in Ubuntu:
Fix Released
Status in ec2-instance-connect source package in Xenial:
Fix Committed
Status in ec2-instance-connect source package in Bionic:
Fix Committed
Status in ec2-instance-connect source package in Eoan:
Fix Committed
Bug description:
[Impact]
* The ssh.service drop-in is placed and removed in maintainer scripts
based on the current ssh configuration checks which are incomplete.
The drop-in is also not owned by the package.
[Test Case]
* Install the fixed package. The drop-in should be listed among the package's files:
$ dpkg -L ec2-instance-connect
...
/lib/systemd/system/ssh.service.d/ec2-instance-connect.conf
...
* Upgrade package from previous version. The drop-in should replace
the old one.
* Change /etc/ssh/sshd_config to set AuthorizedKeysCommand
Install the fixed package. A warning should appear and sshd should not be restarted by the package's maintainer scripts.
[Regression Potential]
* The change is made to make installation and upgrades more reliable. The test cases check package installs and upgrades where regressions could happen due to implementation mistakes.
* The unfixed version of the package did not place the drop-in when it detected setting AuthorizedKeysCommand in sshd_conf, while the fixed version installs the drop-in, just does not restart the ssh service. This can block users from logging in via ssh if only the sshd_conf's AuthorizedKeysCommand configuration enabled their login and the ssh service got restarted after installing/upgrading ec2-instance-connect.
This is a known change in behavior and is mitigated by showing a warning when this potentially problematic configuration is detected. It is also worth noting that in case the drop-in overrides the configuration in sshd_conf it is still possible to log in via EC2 Instance Connect, the login method the package enables.
[Other Info]
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ec2-instance-connect/+bug/1861909/+subscriptions
More information about the foundations-bugs
mailing list