Current 1.1.7 AMI doesn't fetch SSH public key from the EC2 environment
Closed, ResolvedPublicBUG
Actions

Assigned To

Authored By

	dmbaturin
	Oct 21 2017, 11:47 AM

Description

Current AMIs boot correctly when deployed, but the user can't login to the instances because they do not fetch SSH public key from the EC2 environment.

The root cause is in an unexpected change made by Amazon to their system. For a few years, the both the system serial number and the system UUID used to start with EC2, so we used this fact for checking if VyOS is running in EC2, since fetching keys from a link-local address when running outside a controlled environment can be a security disaster.

Now only the system serial number starts with EC2, so that check no longer works as expected and returns false negatives.

Details

Difficulty level: Hard (possibly days)
Version: 1.1.7
Why the issue appeared?: Will be filled on close

Event Timeline

An AMI updated by hand was submitted to Amazon for testing.

Is there an argument against just using cloud-init for the AMI?

@jbeisser cloud init was integrated much later and still require testing
1.2 will be using cloud-init for that purpose

Seems that amazon updated 1.1.7 and complete fix will be available as part of 1.1.8

closing this

syncer moved this task from Needs Triage to Finished on the VyOS 1.1.x (1.1.8) board.Oct 26 2017, 7:34 PM

I face this issue on the new VyOS 1.1.8 AMI in the Frakfurt region. It is working in Seoul region.

Is it possible to have regression in some builds?

@begetan It is the same build that the marketplace team at AWS distributes to all regions. I've just made an instance in Frankfurt and it worked for me.

Could you please attach the disk of the affected instance to some other instance, add your key to the config by hand, then reattach it back and give us the output of 'run show version'?

I've did a lot of attempts, and removed old stuff. Anyway I can reproduce it one more time with the same result.
I am configuring 2 interfaces for the virtual router. May be it can be a problem?

Here is fresh installation of VyOS image mounted at another instance.

/boot/1.1.8/live-rw/config/config.boot

interfaces {
    ethernet eth0 {
        address dhcp
        duplex auto
        hw-id 02:24:10:ae:3d:06
        smp_affinity auto
        speed auto
    }
    ethernet eth1 {
        duplex auto
        hw-id 02:5a:bd:a7:cd:a8
        smp_affinity auto
        speed auto
    }
    loopback lo {
    }
}
service {
    ssh {
        disable-password-authentication
        port 22
    }
}
system {
    config-management {
        commit-revisions 20
    }
    console {
        device ttyS0 {
            speed 9600
        }
    }
    host-name VyOS-AMI
    login {
        user vyos {
            authentication {
                encrypted-password "*"
                plaintext-password ""
            }
            level admin
        }
    }
    ntp {
        server 0.pool.ntp.org {
        }
        server 1.pool.ntp.org {
        }
        server 2.pool.ntp.org {
        }
    }
    package {
        auto-sync 1
        repository community {
            components main
            distribution helium
            password ""
            url http://packages.vyos.net/vyos
            username ""
        }
    }
    syslog {
        global {
            facility all {
                level notice
            }
            facility protocols {
                level debug
            }
        }
    }
    time-zone UTC
}


/* Warning: Do not remove the following line. */
/* === vyatta-config-version: "cluster@1:config-management@1:conntrack-sync@1:conntrack@1:cron@1:dhcp-relay@1:dhcp-server@4:firewall@5:ipsec@4:nat@4:qos@1:quagga@2:system@6:vrrp@1:wanloadbalance@3:webgui@1:webproxy@1:zone-policy@1" === */
/* Release version: VyOS 1.1.8 */

Please feel free to ask about additional details.

@begetan Does creating it with one interface first work for you?
Also, I still need the show version output from the running instance (complete with S/N and UUID) to see if it's the same issue or a different one.

After a lot of reinstallation and terminaton we broke Amazon VPS, so I did full test.

Create new AWS VPC. Public subnet is attached to IGW.

Install VyOS 1.1.8 from AWS Market Place: https://aws.amazon.com/marketplace/pp/B074KJK4WC

Configure one interface, but anyway we should assign an Elastic public IP because public autoassignment if off for our VPC

Connect with provided keys. VyOS is refusing our key.

Start new Ubuntu instance, unmount EBS Volume from VyOS, restart Ubuntu, mount vyois volume to Ubuntu.

We can see that Vyos boot/1.1.8/live-rw/config/config.boot has no any key

Add our public key for user admin to hte config, unmount, restart, mount start VyOS instance.

Now we can connect and get all information from the running instance:

admin@VyOS-AMI:~$ show version
Version:      VyOS 1.1.8
Description:  VyOS 1.1.8 (helium)
Copyright:    2017 VyOS maintainers and contributors
Built by:     [email protected]
Built on:     Fri Nov 10 05:05:20 UTC 2017
Build ID:     1711100505-b483efc
System type:  x86 64-bit
Boot via:     image
Hypervisor:   Xen hvm
HW model:     HVM domU
HW S/N:       ec278534-b900-3ae5-8ae7-6d366a8b17f2
HW UUID:      348527EC-00B9-E53A-8AE7-6D366A8B17F2
Uptime:       09:40:56 up 2 min,  1 user,  load average: 0.01, 0.02, 0.01

I reproduce the same problem on VyOS 1.1.8 on different region - N.Verginia.

Should I open new ticket about this issue for the version 1.1.8?

Current 1.1.7 AMI doesn't fetch SSH public key from the EC2 environmentClosed, ResolvedPublicBUGActions

Description

Details

Event Timeline

Current 1.1.7 AMI doesn't fetch SSH public key from the EC2 environment
Closed, ResolvedPublicBUG
Actions