[Bug 1860142] Re: Please update ec2-instance-connect to 1.1.12 release
Balint Reczey
balint.reczey at canonical.com
Mon Feb 24 16:50:19 UTC 2020
Verified 1.1.12+dfsg1-0ubuntu3~19.10.0 on Eoan:
ubuntu at ip-172-31-30-118:~$ sudo apt -y install -qq ec2-instance-connect
The following package was automatically installed and is no longer required:
libdumbnet1
Use 'sudo apt autoremove' to remove it.
The following NEW packages will be installed:
ec2-instance-connect
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 11.4 kB of archives.
After this operation, 48.1 kB of additional disk space will be used.
Selecting previously unselected package ec2-instance-connect.
(Reading database ... 86215 files and directories currently installed.)
Preparing to unpack .../ec2-instance-connect_1.1.9-0ubuntu3_all.deb ...
Created system user ec2-instance-connect
Unpacking ec2-instance-connect (1.1.9-0ubuntu3) ...
Setting up ec2-instance-connect (1.1.9-0ubuntu3) ...
Created symlink /etc/systemd/system/multi-user.target.wants/ec2-instance-connect.service → /lib/systemd/system/ec2-instance-connect.service.
sshd override added, restarting daemon
ubuntu at ip-172-31-30-118:~$
ubuntu at ip-172-31-30-118:~$
ubuntu at ip-172-31-30-118:~$
ubuntu at ip-172-31-30-118:~$
ubuntu at ip-172-31-30-118:~$
ubuntu at ip-172-31-30-118:~$ service sshd status
● ssh.service - OpenBSD Secure Shell server
Loaded: loaded (/lib/systemd/system/ssh.service; enabled; vendor preset: enabled)
Drop-In: /usr/lib/systemd/system/ssh.service.d
└─ec2-instance-connect.conf
Active: active (running) since Mon 2020-02-24 16:28:57 UTC; 14min ago
Docs: man:sshd(8)
man:sshd_config(5)
Process: 29680 ExecStartPre=/usr/sbin/sshd -t (code=exited, status=0/SUCCESS)
Main PID: 29681 (sshd)
Tasks: 1 (limit: 1145)
Memory: 4.1M
CGroup: /system.slice/ssh.service
└─29681 /usr/sbin/sshd -D -o AuthorizedKeysCommand /usr/share/ec2-instance-connect/eic_run_authorized_keys %u %f -o AuthorizedKeysCommandUser ec2-instance-connect
Feb 24 16:29:16 ip-172-31-30-118 sshd[29739]: pam_unix(sshd:session): session opened for user ubuntu by (uid=0)
Feb 24 16:38:00 ip-172-31-30-118 sshd[30184]: Invalid user admin from 141.98.81.150 port 38095
Feb 24 16:38:00 ip-172-31-30-118 sshd[30184]: Connection closed by invalid user admin 141.98.81.150 port 38095 [preauth]
Feb 24 16:42:19 ip-172-31-30-118 sshd[30187]: error: kex_exchange_identification: Connection closed by remote host
Feb 24 16:42:38 ip-172-31-30-118 sshd[30188]: Received disconnect from 140.238.164.68 port 55574:11: Normal Shutdown, Thank you for playing [preauth]
Feb 24 16:42:38 ip-172-31-30-118 sshd[30188]: Disconnected from authenticating user root 140.238.164.68 port 55574 [preauth]
Feb 24 16:42:51 ip-172-31-30-118 sshd[30190]: Received disconnect from 140.238.164.68 port 53314:11: Normal Shutdown, Thank you for playing [preauth]
Feb 24 16:42:51 ip-172-31-30-118 sshd[30190]: Disconnected from authenticating user root 140.238.164.68 port 53314 [preauth]
Feb 24 16:43:04 ip-172-31-30-118 sshd[30192]: Received disconnect from 140.238.164.68 port 51064:11: Normal Shutdown, Thank you for playing [preauth]
Feb 24 16:43:04 ip-172-31-30-118 sshd[30192]: Disconnected from authenticating user root 140.238.164.68 port 51064 [preauth]
ubuntu at ip-172-31-30-118:~$ sudo sed -i s/backports/proposed/ /etc/apt/sources.list
ubuntu at ip-172-31-30-118:~$ sudo apt update -qq
22 packages can be upgraded. Run 'apt list --upgradable' to see them.
ubuntu at ip-172-31-30-118:~$ sudo apt-get -qqy install ec2-instance-connect
(Reading database ... 86224 files and directories currently installed.)
Preparing to unpack .../ec2-instance-connect_1.1.12+dfsg1-0ubuntu3~19.10.0_all.deb ...
Unpacking ec2-instance-connect (1.1.12+dfsg1-0ubuntu3~19.10.0) over (1.1.9-0ubuntu3) ...
Setting up ec2-instance-connect (1.1.12+dfsg1-0ubuntu3~19.10.0) ...
sshd override added, restarting daemon
ubuntu at ip-172-31-30-118:~$ service sshd status
● ssh.service - OpenBSD Secure Shell server
Loaded: loaded (/lib/systemd/system/ssh.service; enabled; vendor preset: enabled)
Drop-In: /usr/lib/systemd/system/ssh.service.d
└─ec2-instance-connect.conf
Active: active (running) since Mon 2020-02-24 16:44:13 UTC; 6s ago
Docs: man:sshd(8)
man:sshd_config(5)
Process: 30735 ExecStartPre=/usr/sbin/sshd -t (code=exited, status=0/SUCCESS)
Main PID: 30736 (sshd)
Tasks: 1 (limit: 1145)
Memory: 4.9M
CGroup: /system.slice/ssh.service
└─30736 /usr/sbin/sshd -D -o AuthorizedKeysCommand /usr/share/ec2-instance-connect/eic_run_authorized_keys %u %f -o AuthorizedKeysCommandUser ec2-instance-connect
Feb 24 16:44:13 ip-172-31-30-118 systemd[1]: ssh.service: Found left-over process 30696 (sshd) in control group while starting unit. Ignoring.
Feb 24 16:44:13 ip-172-31-30-118 systemd[1]: This usually indicates unclean termination of a previous run, or service implementation deficiencies.
Feb 24 16:44:13 ip-172-31-30-118 systemd[1]: Starting OpenBSD Secure Shell server...
Feb 24 16:44:13 ip-172-31-30-118 systemd[1]: ssh.service: Found left-over process 30695 (sshd) in control group while starting unit. Ignoring.
Feb 24 16:44:13 ip-172-31-30-118 systemd[1]: This usually indicates unclean termination of a previous run, or service implementation deficiencies.
Feb 24 16:44:13 ip-172-31-30-118 systemd[1]: ssh.service: Found left-over process 30696 (sshd) in control group while starting unit. Ignoring.
Feb 24 16:44:13 ip-172-31-30-118 systemd[1]: This usually indicates unclean termination of a previous run, or service implementation deficiencies.
Feb 24 16:44:13 ip-172-31-30-118 sshd[30736]: Server listening on 0.0.0.0 port 22.
Feb 24 16:44:13 ip-172-31-30-118 sshd[30736]: Server listening on :: port 22.
Feb 24 16:44:13 ip-172-31-30-118 systemd[1]: Started OpenBSD Secure Shell server.
ubuntu at ip-172-31-30-118:~$ sudo apt purge -yqq ec2-instance-connect
The following package was automatically installed and is no longer required:
libdumbnet1
Use 'sudo apt autoremove' to remove it.
The following packages will be REMOVED:
ec2-instance-connect*
0 upgraded, 0 newly installed, 1 to remove and 21 not upgraded.
After this operation, 57.3 kB disk space will be freed.
(Reading database ... 86226 files and directories currently installed.)
Removing ec2-instance-connect (1.1.12+dfsg1-0ubuntu3~19.10.0) ...
Deleted system user ec2-instance-connect
(Reading database ... 86215 files and directories currently installed.)
Purging configuration files for ec2-instance-connect (1.1.12+dfsg1-0ubuntu3~19.10.0) ...
Deleted system user ec2-instance-connect
ubuntu at ip-172-31-30-118:~$ service sshd status
● ssh.service - OpenBSD Secure Shell server
Loaded: loaded (/lib/systemd/system/ssh.service; enabled; vendor preset: enabled)
Active: active (running) since Mon 2020-02-24 16:46:37 UTC; 12s ago
Docs: man:sshd(8)
man:sshd_config(5)
Process: 31483 ExecStartPre=/usr/sbin/sshd -t (code=exited, status=0/SUCCESS)
Main PID: 31484 (sshd)
Tasks: 1 (limit: 1145)
Memory: 1.5M
CGroup: /system.slice/ssh.service
└─31484 /usr/sbin/sshd -D
Feb 24 16:46:37 ip-172-31-30-118 systemd[1]: Starting OpenBSD Secure Shell server...
Feb 24 16:46:37 ip-172-31-30-118 sshd[31484]: Server listening on 0.0.0.0 port 22.
Feb 24 16:46:37 ip-172-31-30-118 sshd[31484]: Server listening on :: port 22.
Feb 24 16:46:37 ip-172-31-30-118 systemd[1]: Started OpenBSD Secure Shell server.
Feb 24 16:46:44 ip-172-31-30-118 sshd[31538]: Received disconnect from 140.238.164.68 port 45320:11: Normal Shutdown, Thank you for playing [preauth]
Feb 24 16:46:44 ip-172-31-30-118 sshd[31538]: Disconnected from authenticating user ubuntu 140.238.164.68 port 45320 [preauth]
ubuntu at ip-172-31-30-118:~$ sudo apt-get -qqy install ec2-instance-connect
Selecting previously unselected package ec2-instance-connect.
(Reading database ... 86215 files and directories currently installed.)
Preparing to unpack .../ec2-instance-connect_1.1.12+dfsg1-0ubuntu3~19.10.0_all.deb ...
Created system user ec2-instance-connect
Unpacking ec2-instance-connect (1.1.12+dfsg1-0ubuntu3~19.10.0) ...
Setting up ec2-instance-connect (1.1.12+dfsg1-0ubuntu3~19.10.0) ...
Created symlink /etc/systemd/system/multi-user.target.wants/ec2-instance-connect.service → /lib/systemd/system/ec2-instance-connect.service.
sshd override added, restarting daemon
ubuntu at ip-172-31-30-118:~$ service sshd status
● ssh.service - OpenBSD Secure Shell server
Loaded: loaded (/lib/systemd/system/ssh.service; enabled; vendor preset: enabled)
Drop-In: /usr/lib/systemd/system/ssh.service.d
└─ec2-instance-connect.conf
Active: active (running) since Mon 2020-02-24 16:47:09 UTC; 4s ago
Docs: man:sshd(8)
man:sshd_config(5)
Process: 31803 ExecStartPre=/usr/sbin/sshd -t (code=exited, status=0/SUCCESS)
Main PID: 31804 (sshd)
Tasks: 3 (limit: 1145)
Memory: 2.6M
CGroup: /system.slice/ssh.service
├─31804 /usr/sbin/sshd -D -o AuthorizedKeysCommand /usr/share/ec2-instance-connect/eic_run_authorized_keys %u %f -o AuthorizedKeysCommandUser ec2-instance-connect
├─31857 sshd: [accepted]
└─31858 sshd: [net]
Feb 24 16:47:09 ip-172-31-30-118 systemd[1]: Starting OpenBSD Secure Shell server...
Feb 24 16:47:09 ip-172-31-30-118 sshd[31804]: Server listening on 0.0.0.0 port 22.
Feb 24 16:47:09 ip-172-31-30-118 sshd[31804]: Server listening on :: port 22.
Feb 24 16:47:09 ip-172-31-30-118 systemd[1]: Started OpenBSD Secure Shell server.
** Tags removed: verification-needed-eoan
** Tags added: verification-done-eoan
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to ec2-instance-connect in Ubuntu.
https://bugs.launchpad.net/bugs/1860142
Title:
Please update ec2-instance-connect to 1.1.12 release
Status in ec2-instance-connect package in Ubuntu:
Fix Released
Status in ec2-instance-connect source package in Xenial:
Fix Committed
Status in ec2-instance-connect source package in Bionic:
Fix Committed
Status in ec2-instance-connect source package in Disco:
Won't Fix
Status in ec2-instance-connect source package in Eoan:
Fix Committed
Bug description:
[Impact]
New upstream release of the package providing SSH access to instances;
available to any AWS users. The most notable new feature is supporting
Instance Metadata Service Version 2, but since the release included
major rewrite which honored on Security Team's input the package is
backported in full.
[Test Cases]
This is manually tested by Amazon:
0) Deploy an Amazon AWS instance with Instance Connect feature enabled
1) Install the previous version of the ec2-instance-connect package
2) Verify that the sshd process has been restarted with the changed command-line, now including "AuthorizedKeysCommand*" options.
3) Attempt to connect to the instance using a SSH key that is known by the Instance Connect service.
4) Upgrade to the new version of the package
5) Attempt to connect to the instance using a SSH key that is known by the Instance Connect service.
6) Purge the ec2-instance-connect package
7) Configure the instance to use IMDSv2
8) Install the new ec2-instance-connect again and verify that is working again (steps 2 and 3)
[Regression Potential]
Limited to SSH access on instances where the package gets installed. This package will be installed by default for a new service called "Instance Connect" provided to AWS customers. In the case of an issue, things to watch out for would be for some keys to not be usable to connect to the instance when they are expected to be, as the list of authorized keys is collated by the service to include both the usual authorized_keys contents, as well as keys provided by the Instance Connect service.
The package upgrade is covered in the test case.
[Other Info]
The source difference for the SRUs contain a lot of extra files because the source now contains almost the full upstream tarball, but the difference between the binary packages is still minimal and it maybe easier to reviewing that difference.
Disco SRU is skipped because it goes EOL before the aging of the
package would finish.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ec2-instance-connect/+bug/1860142/+subscriptions
More information about the foundations-bugs
mailing list