ec2ify:ident 5 required steps to login into instance
Wednesday May 21, 2008
Based on my previous Linux on Amazon AWS experience I define 5 required Solaris ec2ify steps:
This entry is part of 'OpenSolaris on Amazon EC2' workshop1) Update openssh configurations for Amazon AWS ssh keypair access
2) Fix DNS name services and DHCP, if needed
3) Fix system time with ntpdate
4) Get instance of ssh keypair
5) Get devel / recovery key if exist and getting Amazon Key fail
PS: For image creation we need also cleanup phase (script ?) : delete sensitive data, zero unused space for better compression, clear shutdown. I will address this issues separate section later.
Amazon EC2 use for login SSH privare/public keypair infrastructure, user starting it's instances is identified by keypair he start instance with, so users public key must downloaded from user account on instance start.
Is common then SSH login user is root, but it can be any user, for security reasons Amazon also recommend to disable password based logins in ssh for root user.
Actual version of ec2ify stuff is on your image on /opt/ec2ify/
1. Setting up ssh and sshd configs
Instead of UseDNS use in Solaris 10+ LookupClientHostnames
In /etc/ssh/sshd_configs edit/add lines PermitRootLogin without-password RSAAuthentication yes LookupClientHostnames no GSSAPIAuthentication no GSSAPIKeyExchange no GSSAPIStoreDelegatedCredentials no In (/etc/ssh/ssh_config) edit/add files GSSAPIAuthentication no GSSAPIKeyExchange no
svcadm restart ssh
2. Create script which will get kaypair on OS boot
cat getsshkey.sh
#!/bin/bash
# !!! This script is running under SMF, use full paths for executables/scripts !!!
# Retrieve the keypair credentials from Amazon AWS instance meta-data.
# Port to Solaris 10 SMF, privileged user and local developer keys on /mnt
# Fetch any credentials presented at launch time and add them to root's public keys
# If connection to Amazon AWS timeout, try to use local developer keys
#
# Also recovery added for fail over when developing directly on Amazon AWS
. /lib/svc/share/smf_include.sh
# Becuase we are providig shared images we will delete original authotized_kyes
# In case then it is your private AMI you can specify authorized_key.recovery
# and it will be added
# For clasic UNIX security model we will use root, on model with privileges
# like default in OpenSolaris 2008.05 we will have user with role root,
# so we will put authotized_kyes in home dir of this privileged user
###: Workarounds section start
# Workaround for OpenSolaris 2005.08 issue:
# Time start after reboot from Epoch 1.1.1970 or is even 1969 if zone is from USA
#
# zfs_mountroot() may need to call clkset() to set the boot_time kstat
# http://bugs.opensolaris.org/bugdatabase/view_bug.do?bug_id=6574993
# Time zone is by default UTC
# Move time by near actual using "date"
# Sync time with ntpdate
CURR_YEAR=`date | awk '{print \$6}'`
if ( $CURR_YEAR < 2008 ) ; then
echo "Moving time with date to May/12 06:01 2008"
date -u "051206012008.01"
fi
# Time is not Synchronized
# Sync time, needed for Amazon EC2 or S3 services
echo "Syncing time with ntpdate, with IP fail over "
ntpdate -v 0.north-america.pool.ntp.org stratum2.sjc1.publicntp.net
ntpdate -v 66.250.45.2 207.150.167.80 216.184.20.83 69.36.249.227
ntpdate -v time.czech.sun.com
###: Workarounds section stop
# Select user 'root' or privileged user, we use 'osol'
export USER=root
#export USER=osol
PUB_KEY_URI=http://169.254.169.254/1.0/meta-data/public-keys/0/openssh-key
PUB_KEY_FROM_HTTP=/tmp/openssh_id.pub
USER_HOME=`/usr/bin/cat /etc/passwd | /usr/bin/egrep ^${USER}: | awk -F: '{print \$6 }'`
# If we Linuxify Solaris we will have root home at "/root", not default "/", strip empy "/"
if [ $USER_HOME = "/" ] ; then USER_HOME= ; fi
echo "Getting authorized_keys for user '$USER' into home dir: '$USER_HOME' "
USER_AUTHORIZED_KEYS=$USER_HOME/.ssh/authorized_keys
USER_AUTHORIZED_KEYS_RECOVERY=$USER_HOME/.ssh/authorized_keys.recovery
# Keys are by SSH default in directory $root_home/.ssh
if [ ! -d $USER_HOME/.ssh ] ; then
mkdir -p $USER_HOME/.ssh
chmod 700 $USER_HOME/.ssh
chown $USER $USER_HOME/.ssh
fi
echo "Tryging to get key from Amazon AVS"
# Fetch credentials... script max time (15+3)*6 = 108s , SMF timeout for start action 160s
/usr/bin/curl --connect-timeout 15 --retry 5 --retry-delay 3 --fail -o $PUB_KEY_FROM_HTTP $PUB_KEY_URI
if [ $? -eq 0 ] ; then
cat $PUB_KEY_FROM_HTTP > $USER_AUTHORIZED_KEYS
rm -f $PUB_KEY_FROM_HTTP
else
# Fallover, dirty execution
echo "Tryging developer mode, key on extra disk (m1.small or zfs pool) /mnt/authorized_keys"
# In case then we don't use ZFS with automount
mount -F ufs /dev/dsk/c0d1s0 /mnt 2>&1 >/dev/null
if [ -f /mnt/authorized_keys ] ; then
echo "Developer mode, key found on /mnt/authorized_keys"
cat /mnt/authorized_keys > $USER_AUTHORIZED_KEYS
fi
fi
if [ -f $USER_AUTHORIZED_KEYS_RECOVERY ] ; then
cat $USER_AUTHORIZED_KEYS_RECOVERY >> $USER_AUTHORIZED_KEYS
fi
# Protection agints fail with "no rights"
touch $USER_AUTHORIZED_KEYS
chmod 0600 $USER_AUTHORIZED_KEYS
chown $USER $USER_AUTHORIZED_KEYS
exit $SMF_EXIT_OK
3. Generate and backup developer ssh keypair (both DSA and RSA for ssh clients compatibility)
ssh-keygen -t dsa Generating public/private dsa key pair. Enter file in which to save the key (/root/.ssh/id_dsa): /root/.ssh/id_dsa already exists. Overwrite (yes/no)? yes Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /root/.ssh/id_dsa. Your public key has been saved in /root/.ssh/id_dsa.pub. The key fingerprint is: c5:c4:ee:32:9c:8d:64:d3:de:82:49:75:b4:a8:91:20 root@jsc-xen-14
ssh-keygen -t rsa Generating public/private rsa key pair. Enter file in which to save the key (/root/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /root/.ssh/id_rsa. Your public key has been saved in /root/.ssh/id_rsa.pub. The key fingerprint is: 02:c6:3f:2b:d0:55:4c:cf:98:c2:bc:e3:5d:1b:da:af root@jsc-xen-14
Allow root login with developers keyairs cat /root/.ssh/id_rsa.pub /root/.ssh/id_dsa.pub >/root/.ssh/authorized_keys chmod 0600 /root/.ssh/authorized_keys
Move /root/.ssh/id_* out of image to save place
Test then you can log using new DSA and RSA keys
ssh -i keypair root@hostname
4. Creating SMF service ec2ify-ident
Standard Linux script S99getsshkey is executed to late, with side effect then user see in Amazon AWS AMI as status running, can ssh to instance but can't log in.
I create SMF port of S99getsskey to 100% fix this issue.
cat ec2ident.xml
<?xml version="1.0"?>
<!DOCTYPE service_bundle SYSTEM "/usr/share/lib/xml/dtd/service_bundle.dtd.1">
<service_bundle type='manifest' name='ec2ify:ident'>
<service name='ec2ify/ident' type='service' version='1'>
<create_default_instance enabled='true' />
<single_instance />
<dependency name='fs-local' grouping='require_all' restart_on='none' type='service'>
<service_fmri value='svc:/system/filesystem/local' />
</dependency>
<dependency name='network-service' grouping='require_all' restart_on='none' type='service'>
<service_fmri value='svc:/network/service' />
</dependency>
<exec_method type='method' name='start' exec='/opt/ec2ify/scripts/getsshkey.sh' timeout_seconds='160' />
<exec_method type='method' name='stop' exec=':true' timeout_seconds='0' />
<exec_method type='method' name='refresh' exec=':true' timeout_seconds='0' />
<exec_method type='method' name='restart' exec=':true' timeout_seconds='0' />
<property_group name='startd' type='framework'>
<propval name='duration' type='astring' value='transient' />
</property_group>
<stability value='Unstable' />
<template>
<common_name>
<loctext xml:lang='C'>Amazon EC2 ec2ify ident script - loading needed SSH identity keys</loctext>
</common_name>
</template>
</service>
</service_bundle>
5. Register SMF service
cat smfadd-ident.sh #!/usr/bin/sh rm -f /var/svc/log/ec2ify-ident:default.log /usr/sbin/svccfg validate /opt/ec2ify/scripts/ec2ident.xml /usr/sbin/svccfg import /opt/ec2ify/scripts/ec2ident.xml sleep 3 /usr/sbin/svcadm enable svc:/ec2ify/ident:default
6. Debug ec2ify-ident service
svcs -a | grep ec2ify online 11:43:24 svc:/ec2ify/ident:default svcs -l svc:/ec2ify/ident:default fmri svc:/ec2ify/ident:default name Amazon EC2 ec2ify ident script - loading needed SSH identity keys enabled true state online next_state none state_time Wed May 21 11:43:24 2008 logfile /var/svc/log/ec2ify-ident:default.log restarter svc:/system/svc/restarter:default dependency require_all/none svc:/system/filesystem/local (online) dependency require_all/none svc:/network/service (online) cat /var/svc/log/ec2ify-ident:default.log | more
7. Fix DNS name services generated from DHCP
cp /etc/nsswitch.dns /etc/nsswitch.conf rm /etc/resolv.conf
|
|
|
|
