Public bug reported:
Binary package hint: cloud-init
The EC2/UEC images currently allow users to ssh to root@ but do not give
the user shell access. Instead, a helpful message is displayed to the
user explaining they need to ssh to ubuntu@ and they are disconnected
after 10 seconds.
This is done with the following prefix in /root/.ssh/authorized_keys:
command="echo 'Please login as the user \"ubuntu\" rather than the
user \"root\".';echo;sleep 10" ssh-rsa ...
The goal here is to prevent the user from having any serious access at
all through root@ and to just be a helpful pointer for people who assume
all EC2 AMIs are set up to allow ssh to root@
Users may change the ssh keys associated with
/home/ubuntu/.ssh/authorized_keys and not know about or forget about the
fact that there is some access also granted through
/root/.ssh/authorized_keys
The way that the /root/.ssh/authorized_keys file is currently
implemented, an authorized user is blocked from shell access, but is
granted some other permissions like doing port forwarding through the
instance to anywhere that instance can connect. Hosts it connects to
would also perceive the connection as coming from the instance.
These additional permissions should be blocked in
/root/.ssh/authorized_keys by adding qualifiers like:
no-port-forwarding,no-agent-forwarding,no-X11-forwarding,no-pty
These particular directives are based on best practices using subversion
command= with ssh.
The resulting prefix would then look like:
command="echo 'Please login as the user \"ubuntu\" rather than the
user \"root\".';echo;sleep 10",no-port-forwarding,no-agent-
forwarding,no-X11-forwarding,no-pty ssh-rsa ...
See the "command=" section in "man authorized_keys" for more details.
ProblemType: Bug
DistroRelease: Ubuntu 11.04
Package: cloud-init 0.6.1-0ubuntu8
ProcVersionSignature: User Name 2.6.38-8.42-virtual 2.6.38.2
Uname: Linux 2.6.38-8-virtual i686
Architecture: i386
Date: Fri Jun 17 02:08:02 2011
Ec2AMI: ami-06ad526f
Ec2AMIManifest: (unknown)
Ec2AvailabilityZone: us-east-1d
Ec2InstanceType: m1.small
Ec2Kernel: aki-407d9529
Ec2Ramdisk: unavailable
PackageArchitecture: all
ProcEnviron:
LANG=en_US.UTF-8
SHELL=/bin/bash
SourcePackage: cloud-init
UpgradeStatus: No upgrade log present (probably fresh install)
** Affects: cloud-init (Ubuntu)
Importance: Undecided
Status: New
** Tags: apport-bug ec2-images i386 natty
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to cloud-init in Ubuntu.
https://bugs.launchpad.net/bugs/798505
Title:
Tighten permissions on root@ ssh with EC2/UEC images
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cloud-init/+bug/798505/+subscriptions
--
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
