Current 1.1.7 AMI doesn't fetch SSH public key from the EC2 environment
Closed, ResolvedPublicBUG


Current AMIs boot correctly when deployed, but the user can't login to the instances because they do not fetch SSH public key from the EC2 environment.

The root cause is in an unexpected change made by Amazon to their system. For a few years, the both the system serial number and the system UUID used to start with EC2, so we used this fact for checking if VyOS is running in EC2, since fetching keys from a link-local address when running outside a controlled environment can be a security disaster.

Now only the system serial number starts with EC2, so that check no longer works as expected and returns false negatives.


Difficulty level
Hard (possibly days)
Why the issue appeared?
Will be filled on close

An AMI updated by hand was submitted to Amazon for testing.

Is there an argument against just using cloud-init for the AMI?

syncer added a subscriber: syncer.Oct 26 2017, 6:48 PM

@jbeisser cloud init was integrated much later and still require testing
1.2 will be using cloud-init for that purpose

syncer closed this task as Resolved.Oct 26 2017, 7:34 PM
syncer moved this task from Need Triage to Backlog on the VyOS 1.1.x board.
syncer edited projects, added VyOS 1.1.x (1.1.8); removed VyOS 1.2.x, VyOS 1.1.x.
syncer claimed this task.

Seems that amazon updated 1.1.7 and complete fix will be available as part of 1.1.8

closing this

begetan added a subscriber: begetan.Dec 6 2017, 2:24 PM

I face this issue on the new VyOS 1.1.8 AMI in the Frakfurt region. It is working in Seoul region.

Is it possible to have regression in some builds?

@begetan It is the same build that the marketplace team at AWS distributes to all regions. I've just made an instance in Frankfurt and it worked for me.

Could you please attach the disk of the affected instance to some other instance, add your key to the config by hand, then reattach it back and give us the output of 'run show version'?

begetan added a comment.EditedDec 6 2017, 5:57 PM

I've did a lot of attempts, and removed old stuff. Anyway I can reproduce it one more time with the same result.
I am configuring 2 interfaces for the virtual router. May be it can be a problem?

Here is fresh installation of VyOS image mounted at another instance.


interfaces {
    ethernet eth0 {
        address dhcp
        duplex auto
        hw-id 02:24:10:ae:3d:06
        smp_affinity auto
        speed auto
    ethernet eth1 {
        duplex auto
        hw-id 02:5a:bd:a7:cd:a8
        smp_affinity auto
        speed auto
    loopback lo {
service {
    ssh {
        port 22
system {
    config-management {
        commit-revisions 20
    console {
        device ttyS0 {
            speed 9600
    host-name VyOS-AMI
    login {
        user vyos {
            authentication {
                encrypted-password "*"
                plaintext-password ""
            level admin
    ntp {
        server {
        server {
        server {
    package {
        auto-sync 1
        repository community {
            components main
            distribution helium
            password ""
            username ""
    syslog {
        global {
            facility all {
                level notice
            facility protocols {
                level debug
    time-zone UTC

/* Warning: Do not remove the following line. */
/* === vyatta-config-version: "cluster@1:config-management@1:conntrack-sync@1:conntrack@1:cron@1:dhcp-relay@1:dhcp-server@4:firewall@5:ipsec@4:nat@4:qos@1:quagga@2:system@6:vrrp@1:wanloadbalance@3:webgui@1:webproxy@1:zone-policy@1" === */
/* Release version: VyOS 1.1.8 */

Please feel free to ask about additional details.

@begetan Does creating it with one interface first work for you?
Also, I still need the show version output from the running instance (complete with S/N and UUID) to see if it's the same issue or a different one.

After a lot of reinstallation and terminaton we broke Amazon VPS, so I did full test.

  1. Create new AWS VPC. Public subnet is attached to IGW.
  1. Install VyOS 1.1.8 from AWS Market Place:

Configure one interface, but anyway we should assign an Elastic public IP because public autoassignment if off for our VPC

  1. Connect with provided keys. VyOS is refusing our key.
  1. Start new Ubuntu instance, unmount EBS Volume from VyOS, restart Ubuntu, mount vyois volume to Ubuntu.
  1. We can see that Vyos boot/1.1.8/live-rw/config/config.boot has no any key
  1. Add our public key for user admin to hte config, unmount, restart, mount start VyOS instance.
  1. Now we can connect and get all information from the running instance:
admin@VyOS-AMI:~$ show version
Version:      VyOS 1.1.8
Description:  VyOS 1.1.8 (helium)
Copyright:    2017 VyOS maintainers and contributors
Built by:
Built on:     Fri Nov 10 05:05:20 UTC 2017
Build ID:     1711100505-b483efc
System type:  x86 64-bit
Boot via:     image
Hypervisor:   Xen hvm
HW model:     HVM domU
HW S/N:       ec278534-b900-3ae5-8ae7-6d366a8b17f2
HW UUID:      348527EC-00B9-E53A-8AE7-6D366A8B17F2
Uptime:       09:40:56 up 2 min,  1 user,  load average: 0.01, 0.02, 0.01

I reproduce the same problem on VyOS 1.1.8 on different region - N.Verginia.

Should I open new ticket about this issue for the version 1.1.8?