Ubuntu on EC2

On ssh to root@ instruct user to try ubuntu@ instead

Bug #325067 reported by Eric Hammond
2
Affects Status Importance Assigned to Milestone
Ubuntu on EC2
Fix Released
Wishlist
Unassigned
Ubuntu on EC2 beta2
ec2-init (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

The official Ubuntu beta2 AMI will prevent ssh to root@ and allow ssh to ubuntu@ so that the image follows the normal Ubuntu standards for security (allowing user "ubuntu" to sudo).

Existing EC2 users are familiar with ssh to root@ given that most existing AMIs allow this, the EC2 documentation describes this, and tools like Elasticfox and the EC2 console provide commands to that effect. Given this, we need to help point users in the right direction when they try to ssh to root@ and the best approach (right message at the right time) seems to be to output a message when the user connects with ssh to root incorrectly.

The following steps are one way to accomplish this message while only showing it to somebody who has the correct key and not increasing security risks of letting users get in as root.

At first boot, when /home/ubuntu/.ssh/authorized_keys created, also create /root/.ssh/authorized_keys file. It would have the same content (keypair) with the additional first field like:

command="echo;echo 'Please ssh to the \"ubuntu\" user on this host instead of \"root\"';echo"

So, the entire /root/.ssh/authorized_keys file would end up looking something like:

command="echo;echo 'Please ssh to the \"ubuntu\" user on this host instead of \"root\"';echo" ssh-rsa AAAAB3N[...] KEYPAIRNAME

This results in an ssh attempt that looks like:

user@localhost:~$ ssh -i KEYPAIR.pem <email address hidden>

Please ssh to the "ubuntu" user on this host instead of "root"

Connection to ec2-174-129-189-221.compute-1.amazonaws.com closed.
user@localhost:~$

See original description

Related branches

lp:ubuntu/karmic/ec2-init
Revision history for this message
Chuck Short (zulcss) wrote :

I actually like this idea.

Changed in ubuntu-on-ec2:
importance: Undecided → Wishlist
status: New → In Progress
Eric Hammond (esh)
description: updated
Revision history for this message
Eric Hammond (esh) wrote :

I think it might be a good idea to slap on a ";sleep 10" at the end of the command:

command="echo;echo 'Please ssh to the \"ubuntu\" user on this host instead of \"root\"';echo;sleep 10"

This will help people see the error message, especially if they are running something like Elasticfox (EC2 extension for Firefox) which opens up a new terminal window with the ssh to root.

The terminal window disappears as soon as the connection is dropped, so the user would never see the error message unless there is a pause after displaying it.

Revision history for this message
Chuck Short (zulcss) wrote :

Ive added this beta2

Changed in ubuntu-on-ec2:
milestone: none → beta2
status: In Progress → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ec2-init - 0.3.3ubuntu2

---------------
ec2-init (0.3.3ubuntu2) jaunty; urgency=low

  * debian/ec2-set-apt-sources.py:
    - Use the ec2 mirrors. (LP: #317065, #333897)
    - Update the /etc/apt/sources.list (LP: #333904)
  * debian/ec2-fetch-credentials.py:
    - Better error checking (LP: #325067)

 -- Chuck Short <email address hidden> Tue, 24 Feb 2009 14:02:37 -0500

Changed in ec2-init:
status: New → Fix Released
Revision history for this message
Chuck Short (zulcss) wrote :

beta2 is out.

Changed in ubuntu-on-ec2:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.