[Bug 1860142] Re: Please update ec2-instance-connect to 1.1.12 release

Mon Feb 24 17:01:45 UTC 2020

Verified 1.1.12+dfsg1-0ubuntu3~16.04.0 on Xenial. With the previous
version Instance Connect did not connect, but it worked with the updated
version.

ubuntu at ip-172-31-35-36:~$ sudo apt -y install -qq ec2-instance-connect
The following NEW packages will be installed:
  ec2-instance-connect
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 11.4 kB of archives.
After this operation, 48.1 kB of additional disk space will be used.
Selecting previously unselected package ec2-instance-connect.
(Reading database ... 76560 files and directories currently installed.)
Preparing to unpack .../ec2-instance-connect_1.1.9-0ubuntu3~16.04.1_all.deb ...
Created system user ec2-instance-connect
Unpacking ec2-instance-connect (1.1.9-0ubuntu3~16.04.1) ...
Setting up ec2-instance-connect (1.1.9-0ubuntu3~16.04.1) ...
sshd override added, restarting daemon
ubuntu at ip-172-31-35-36:~$ service sshd status
● ssh.service - OpenBSD Secure Shell server
   Loaded: loaded (/lib/systemd/system/ssh.service; enabled; vendor preset: enabled)
  Drop-In: /lib/systemd/system/ssh.service.d
           └─ec2-instance-connect.conf
   Active: active (running) since Mon 2020-02-24 16:52:25 UTC; 40s ago
  Process: 25577 ExecStartPre=/usr/sbin/sshd -t (code=exited, status=0/SUCCESS)
 Main PID: 25581 (sshd)
    Tasks: 1
   Memory: 792.0K
      CPU: 177ms
   CGroup: /system.slice/ssh.service
           └─25581 /usr/sbin/sshd -D -o AuthorizedKeysCommand /usr/share/ec2-instance-connect/eic_run_authorized_keys %u %f -o AuthorizedKeysCommandUser ec2-instance-connect

Feb 24 16:52:25 ip-172-31-35-36 systemd[1]: Starting OpenBSD Secure Shell server...
Feb 24 16:52:25 ip-172-31-35-36 sshd[25581]: Server listening on 0.0.0.0 port 22.
Feb 24 16:52:25 ip-172-31-35-36 sshd[25581]: Server listening on :: port 22.
Feb 24 16:52:25 ip-172-31-35-36 systemd[1]: Started OpenBSD Secure Shell server.
Feb 24 16:52:48 ip-172-31-35-36 sshd[25611]: Connection closed by 18.188.9.33 port 15596 [preauth]
Feb 24 16:52:48 ip-172-31-35-36 sshd[25643]: Connection closed by 18.188.9.33 port 54735 [preauth]
Feb 24 16:53:04 ip-172-31-35-36 sshd[25675]: Connection closed by 18.188.9.33 port 44464 [preauth]
Feb 24 16:53:04 ip-172-31-35-36 sshd[25707]: Connection closed by 18.188.9.33 port 27716 [preauth]
ubuntu at ip-172-31-35-36:~$ sudo sed -i s/backports/proposed/ /etc/apt/sources.list
ubuntu at ip-172-31-35-36:~$ sudo apt update -qq
19 packages can be upgraded. Run 'apt list --upgradable' to see them.
ubuntu at ip-172-31-35-36:~$ sudo apt-get -qqy install ec2-instance-connect 
(Reading database ... 76569 files and directories currently installed.)
Preparing to unpack .../ec2-instance-connect_1.1.12+dfsg1-0ubuntu3~16.04.0_all.deb ...
Unpacking ec2-instance-connect (1.1.12+dfsg1-0ubuntu3~16.04.0) over (1.1.9-0ubuntu3~16.04.1) ...
Setting up ec2-instance-connect (1.1.12+dfsg1-0ubuntu3~16.04.0) ...
sshd override added, restarting daemon
ubuntu at ip-172-31-35-36:~$ service sshd status
● ssh.service - OpenBSD Secure Shell server
   Loaded: loaded (/lib/systemd/system/ssh.service; enabled; vendor preset: enabled)
  Drop-In: /lib/systemd/system/ssh.service.d
           └─ec2-instance-connect.conf
   Active: active (running) since Mon 2020-02-24 16:55:56 UTC; 4s ago
  Process: 26584 ExecStartPre=/usr/sbin/sshd -t (code=exited, status=0/SUCCESS)
 Main PID: 26588 (sshd)
    Tasks: 1
   Memory: 792.0K
      CPU: 8ms
   CGroup: /system.slice/ssh.service
           └─26588 /usr/sbin/sshd -D -o AuthorizedKeysCommand /usr/share/ec2-instance-connect/eic_run_authorized_keys %u %f -o AuthorizedKeysCommandUser ec2-instance-connect

Feb 24 16:55:56 ip-172-31-35-36 systemd[1]: Starting OpenBSD Secure Shell server...
Feb 24 16:55:56 ip-172-31-35-36 sshd[26588]: Server listening on 0.0.0.0 port 22.
Feb 24 16:55:56 ip-172-31-35-36 sshd[26588]: Server listening on :: port 22.
Feb 24 16:55:56 ip-172-31-35-36 systemd[1]: Started OpenBSD Secure Shell server.
ubuntu at ip-172-31-35-36:~$ sudo apt purge -yqq ec2-instance-connect
The following packages will be REMOVED:
  ec2-instance-connect*
0 upgraded, 0 newly installed, 1 to remove and 18 not upgraded.
After this operation, 56.3 kB disk space will be freed.
(Reading database ... 76571 files and directories currently installed.)
Removing ec2-instance-connect (1.1.12+dfsg1-0ubuntu3~16.04.0) ...
Deleted system user ec2-instance-connect
Purging configuration files for ec2-instance-connect (1.1.12+dfsg1-0ubuntu3~16.04.0) ...
Deleted system user ec2-instance-connect
ubuntu at ip-172-31-35-36:~$ service sshd status
● ssh.service - OpenBSD Secure Shell server
   Loaded: loaded (/lib/systemd/system/ssh.service; enabled; vendor preset: enabled)
   Active: active (running) since Mon 2020-02-24 16:57:12 UTC; 2s ago
  Process: 27868 ExecStartPre=/usr/sbin/sshd -t (code=exited, status=0/SUCCESS)
 Main PID: 27873 (sshd)
    Tasks: 1
   Memory: 1.1M
      CPU: 33ms
   CGroup: /system.slice/ssh.service
           └─27873 /usr/sbin/sshd -D

Feb 24 16:57:12 ip-172-31-35-36 systemd[1]: Stopped OpenBSD Secure Shell server.
Feb 24 16:57:12 ip-172-31-35-36 systemd[1]: Starting OpenBSD Secure Shell server...
Feb 24 16:57:12 ip-172-31-35-36 sshd[27873]: Server listening on 0.0.0.0 port 22.
Feb 24 16:57:12 ip-172-31-35-36 sshd[27873]: Server listening on :: port 22.
Feb 24 16:57:12 ip-172-31-35-36 systemd[1]: Started OpenBSD Secure Shell server.
Feb 24 16:57:14 ip-172-31-35-36 sshd[27903]: Connection closed by 18.188.9.33 port 37929 [preauth]
Feb 24 16:57:14 ip-172-31-35-36 sshd[27905]: Connection closed by 18.188.9.33 port 38846 [preauth]
ubuntu at ip-172-31-35-36:~$ sudo apt-get -qqy install ec2-instance-connect 
Selecting previously unselected package ec2-instance-connect.
(Reading database ... 76560 files and directories currently installed.)
Preparing to unpack .../ec2-instance-connect_1.1.12+dfsg1-0ubuntu3~16.04.0_all.deb ...
Created system user ec2-instance-connect
Unpacking ec2-instance-connect (1.1.12+dfsg1-0ubuntu3~16.04.0) ...
Setting up ec2-instance-connect (1.1.12+dfsg1-0ubuntu3~16.04.0) ...
sshd override added, restarting daemon
ubuntu at ip-172-31-35-36:~$ service sshd status
● ssh.service - OpenBSD Secure Shell server
   Loaded: loaded (/lib/systemd/system/ssh.service; enabled; vendor preset: enabled)
  Drop-In: /lib/systemd/system/ssh.service.d
           └─ec2-instance-connect.conf
   Active: active (running) since Mon 2020-02-24 16:58:25 UTC; 4s ago
  Process: 28121 ExecStartPre=/usr/sbin/sshd -t (code=exited, status=0/SUCCESS)
 Main PID: 28125 (sshd)
    Tasks: 1
   Memory: 1.1M
      CPU: 8ms
   CGroup: /system.slice/ssh.service
           └─28125 /usr/sbin/sshd -D -o AuthorizedKeysCommand /usr/share/ec2-instance-connect/eic_run_authorized_keys %u %f -o AuthorizedKeysCommandUser ec2-instance-connect

Feb 24 16:58:25 ip-172-31-35-36 systemd[1]: Starting OpenBSD Secure Shell server...
Feb 24 16:58:25 ip-172-31-35-36 sshd[28125]: Server listening on 0.0.0.0 port 22.
Feb 24 16:58:25 ip-172-31-35-36 sshd[28125]: Server listening on :: port 22.
Feb 24 16:58:25 ip-172-31-35-36 systemd[1]: Started OpenBSD Secure Shell server.
ubuntu at ip-172-31-35-36:~$ 

** Tags removed: verification-needed verification-needed-bionic verification-needed-xenial
** Tags added: verification-done verification-done-bionic verification-done-xenial

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to ec2-instance-connect in Ubuntu.
https://bugs.launchpad.net/bugs/1860142

Title:
  Please update ec2-instance-connect to 1.1.12 release

Status in ec2-instance-connect package in Ubuntu:
  Fix Released
Status in ec2-instance-connect source package in Xenial:
  Fix Committed
Status in ec2-instance-connect source package in Bionic:
  Fix Committed
Status in ec2-instance-connect source package in Disco:
  Won't Fix
Status in ec2-instance-connect source package in Eoan:
  Fix Committed

Bug description:
  [Impact]

  New upstream release of the package providing SSH access to instances;
  available to any AWS users. The most notable new feature is supporting
  Instance Metadata Service Version 2, but since the release included
  major rewrite which honored on Security Team's input the package is
  backported in full.

  [Test Cases]
  This is manually tested by Amazon:

  0) Deploy an Amazon AWS instance with Instance Connect feature enabled
  1) Install the previous version of the ec2-instance-connect package
  2) Verify that the sshd process has been restarted with the changed command-line, now including "AuthorizedKeysCommand*" options.
  3) Attempt to connect to the instance using a SSH key that is known by the Instance Connect service.
  4) Upgrade to the new version of the package
  5) Attempt to connect to the instance using a SSH key that is known by the Instance Connect service.
  6) Purge the ec2-instance-connect package
  7) Configure the instance to use IMDSv2
  8) Install the new ec2-instance-connect again and verify that is working again (steps 2 and 3)

  [Regression Potential]
  Limited to SSH access on instances where the package gets installed. This package will be installed by default for a new service called "Instance Connect" provided to AWS customers. In the case of an issue, things to watch out for would be for some keys to not be usable to connect to the instance when they are expected to be, as the list of authorized keys is collated by the service to include both the usual authorized_keys contents, as well as keys provided by the Instance Connect service.

  The package upgrade is covered in the test case.

  [Other Info]
  The source difference for the SRUs contain a lot of extra files because the source now contains almost the full upstream tarball, but the difference between the binary packages is still minimal and it maybe easier to reviewing that difference.

  Disco SRU is skipped because it goes EOL before the aging of the
  package would finish.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ec2-instance-connect/+bug/1860142/+subscriptions