Page MenuHomePhabricator

SSH connection to AWS AMI not possible for newly created image
Open, NormalPublicBUG

Description

Yes, it is again. AMI bult from the latest rolling version can not get ssh public key during start up in AWS. Tested of region eu-central-1

When trying to connect with provided key pare you got a message "Unsupported authentication type"

That is the same story like for 1.1.8 images published in official repository. It's critical for AWS users, especially for newcomers.

Should we consider support of cloud-init package?

Details

Difficulty level
Unknown (require assessment)
Version
vyos-1.2.0-rolling+201811290337
Why the issue appeared?
Will be filled on close

Event Timeline

begetan created this task.Nov 30 2018, 1:16 PM
syncer assigned this task to UnicronNL.Dec 1 2018, 6:24 PM
syncer triaged this task as Normal priority.
syncer edited projects, added VyOS 1.3 Equuleus; removed VyOS 1.2 Crux.
syncer added subscribers: UnicronNL, syncer.

@UnicronNL can you explain right way to create 1.2 ami

I forgot to fetch commits for the latest build-ami version when submitted report.
Now I confirms that problem exists in the latest version with the last commit:

Author: Daniil Baturin <daniil@baturin.org>
Date:   Fri May 11 07:11:51 2018 +0700

    T408: clean up the AMI build scripts and retarget them to 1.2.0.

It would be great if someone could build the latest version of AWS AMI.

I tried the build with 1.2.0-rc9 and rc10 with the same results. The instance boots up without issue, but rejects any login attempts with the SSH key the instance was launched with. The error it gets back suggests its not configured for key or password login, or any other method for some reason.

Also tried 1.2.0-rolling-201812080337. My best guess is that its not copying the SSH key into the system properly to allow the vyos user to login, as the system responds, accepts the username, rejects the key then disconnects with no further auth method.

I found an AMI I had built from 1.1.8 back on July 7th. I can create functional 1.1.8 instances from that, so it looks to be something unique to 1.2.0, but I can't say for sure because I don't have a working way to build 1.1.8 AMIs currently. The 1.1.8 playbooks rely on modules that have been removed from Ansible, so I would have to rewrite them or downgrade my ansible install.

pasik added a subscriber: pasik.Mar 12 2019, 6:08 PM

I'm also experiencing the same issue with vyos-1.2.0-rolling-201904190439. I was able to create the ami using the build-ami playbooks, but when launched I could not login using the keypair. Is there a fix for this or a workaround?

I wonder if this issue will ever stop re-occuring. Every time it happens, it's for some new reason. I think this time it may be related to ongoing work of @Unicron.

@spectre3500 I debug such issues by creating a backdoored AMI. As long as you don't share it with anyone, it's not against the rules.

This is what I do. The default config of the AMI to be created is at https://github.com/vyos/build-ami/blob/master/playbooks/templates/config.boot.default.ec2
You can add any pre-configured users there, here's a user "backdoor" with password "vyos" for example.

user backdoor {
    authentication {
        encrypted-password $6$fHze7nYTj$GN/it9d6fMlbQ0imM1CM3cpj3FExq8iC4P7IbtlUzUPK2BOBlevWI1qomzJ9k1.fuGlmx29LSm/St2Jcv9V53/
        plaintext-password ""
    }
}

...oh, and remove "disable-password-authentication" from the SSH settings of course.

@spectre3500 Now that I think of it, did you build it with build-ami or the AWS target of the vyos-build scripts?

I wasn't aware that there was an aws target for the vyos-build scripts.

I used build-ami to create the ami. In fact I came up with the same add a password workaround you mentioned.

Is this an issue with the rolling iso or would this problem also occur with an iso built from the crux branch? I went through the headache to make one of those and just created an ami using it and build-ami, but haven't had a chance to test it yet.

build-ami is working for me if I remove disable-password-authentication from the config template and add in a password into the config template. I have come across another issue though. I was able to get it to work in us-east-1 and us-east-2, but I can't deploy into us-gov-west-1. First problem was it couldn't find a debian-jessie image but that was solved by changing the owner from 379101102735 to 256493402735. Now it's throwing an 401 when attempting to list all subnets. I'm guessing that the python code pulled from ansible is configured for a specific region or the cli command used in GovCloud is slightly different. Either way it's not working.

All you need for ssh keys to work for AMI is to add cloud-init package in configure step:

# build docker image as "vyos-builder" - follow the instruction in vyos-build
sudo docker run --rm -it --privileged -v $(pwd):/vyos -w /vyos vyos-builder bash
./configure --custom-package cloud-init
sudo make iso
exit
../build-ami/vyos-build-ami http://.../vyos-live-image-amd64.hybrid.iso

If you just want to try vyos, I've built an 1.2.1 AMI(available in us, ca, eu-west-1 eu-central-1) "VyOS free (HVM) 1.2.1-2019-06-04-05-21"