aws-ec2-ssh
aws-ec2-ssh copied to clipboard
widdix
Add dependency check to install script
Metadata:
- Operating System: Debian 8.10
- Installation method: install.sh script
- AWS CLI Version: not sure any more, less than 1.15.2
I was not able to login over SSH with existing IAM user account. Troubleshooting revealed
aws iam list-ssh-public-keys --user-name "$UnsaveUserName" --query "SSHPublicKeys[?Status == 'Active'].[SSHPublicKeyId]" --output text
in authorized_keys_command.sh was returning error since outdated version of awscli.
Upgrading awscli to lates available (1.15.2) fixed the issue.
- document minimum required versions for dependencies
- add version checks to install script. Eg. check available versions and abort in case they don't meet minimum requirements
works on aws-cli/1.11.133 Python/2.7.5 Linux/3.10.0-693.el7.x86_64 botocore/1.6.0
For the record, I'm able to get it to work on legacy machines with Python 2.6.6. @michaelwittig, would you be interested in receiving a PR for the version checks?
@artburkart but I believe we first have to figure out the minimum version?
Ha, I was thinking we could just say something is the minimum until proven otherwise.
Another experience with unmet dependencies.
Started fresh EC2 instance from fairly recent Ubuntu Server 16.04 LTS (HVM) - ami-2a7d75c0. According to https://cloud-images.ubuntu.com/query/xenial/server/released.current.txt it's release from 2018-06-27.
Installed pip and awscli using
sudo apt-get update
sudo apt-get install python-pip -y
sudo pip install awscli --upgrade
As recommended in awscli user guide https://docs.aws.amazon.com/cli/latest/userguide/installing.html
Executed install script successfully using sudo ./install.sh.
User accounts where synchronised from IAM but didn't manage to login using SSH. It turned out user nobody was not able to execute aws. (Don't have exact error message available any more)
Uninstalling awscli (using pip) + pip and Installing awscli using apt-get did solve the problem.
Clearly it it issue with python + pip + awscli setup.
OTOH easy way to end up with nonfunctional system =|
Potential solution would be to test if user nobody can execute /opt/authorized_keys_command.sh and abort installation on failure.
Sidenotes:
apt-getinstalls quite ancient version ofawscli
aws --version
aws-cli/1.11.13 Python/3.5.2 Linux/4.4.0-1062-aws botocore/1.4.70
It's from November 2016. Latest available version is 1.15.57
- user
nobodyis configured in/etc/ssh/sshd_config
AuthorizedKeysCommand /opt/authorized_keys_command.sh
AuthorizedKeysCommandUser nobody
@laurikimmel in our test, we install apt-get install git awscli and it works. Have you used the install.sh script for installation of aws-ec2-ssh?
in our test, we install apt-get install git awscli and it works.
It works for me too in case I install awscli using apt-get.
Have you used the install.sh script for installation of aws-ec2-ssh?
Yes - I used install.sh script.
My point is - it's easy to get to the state where awscli is not setup properly for aws-ec2-ssh.
- started new instance
- cloned
aws-ec2-sshrepo from GH - executed
aws-ec2-ssh/install.shscript assudo - it failed with message about missing
awscli(which is good and expected) - went to
awsclipage and followed installation instructions- installed
pip(it was missing from the system) - installed
awscliusingpip(as recommended inawscliuser manual)
- installed
- at this point I was able to execute
aws-ec2-ssh/install.shscript successfully
After installation I was not able to login with SSH although user accounts where synced from IAM.
I suspect many potential aws-ec2-ssh users might stop here.
Actual problem is - user nobody can't execute awscli commands while root (via sudo) and default user (ubuntu in current case) can. Command
sudo -u nobody /opt/authorized_keys_command.sh xxx
fails with appropriate message.
In my opinion it would save lots of time and confusion if install.sh would check whether dependencies are properly installed or not.