ec2ify:ident 5 required steps to login into instance

Based on my previous Linux on Amazon AWS experience I define 5 required Solaris ec2ify steps:

This entry is part of 'OpenSolaris on Amazon EC2' workshop

1) Update openssh configurations for Amazon AWS ssh keypair access
2) Fix DNS name services and DHCP, if needed
3) Fix system time with ntpdate
4) Get instance of ssh keypair
5) Get devel / recovery key if exist and getting Amazon Key fail

PS: For image creation we need also cleanup phase (script ?) : delete sensitive data, zero unused space for better compression, clear shutdown. I will address this issues separate section later.

Amazon EC2 use for login SSH privare/public keypair infrastructure, user starting it's instances is identified by keypair he start instance with, so users public key must downloaded from user account on instance start.

Is common then SSH login user is root, but it can be any user, for security reasons Amazon also recommend to disable password based logins in ssh for root user.

Actual version of ec2ify stuff is on your image on /opt/ec2ify/

1. Setting up ssh and sshd configs

Instead of UseDNS use in Solaris 10+ LookupClientHostnames

In /etc/ssh/sshd_configs edit/add lines

 PermitRootLogin without-password
 RSAAuthentication yes

 LookupClientHostnames no

 GSSAPIAuthentication no 
 GSSAPIKeyExchange no
 GSSAPIStoreDelegatedCredentials no

In (/etc/ssh/ssh_config) edit/add files

 GSSAPIAuthentication no
 GSSAPIKeyExchange no 
svcadm restart ssh

2. Create script which will get kaypair on OS boot

cat getsshkey.sh
#!/bin/bash

# !!! This script is running under SMF, use full paths for executables/scripts !!!

# Retrieve the keypair credentials from Amazon AWS instance meta-data.
# Port to Solaris 10 SMF, privileged user and local developer keys on /mnt

# Fetch any credentials presented at launch time and add them to root's public keys
# If connection to Amazon AWS timeout, try to use local developer keys
#
# Also recovery added for fail over when developing directly on Amazon AWS

.  /lib/svc/share/smf_include.sh

# Becuase we are providig shared images we will delete original authotized_kyes
# In case then it is your private AMI you can specify authorized_key.recovery
# and it will be added

# For clasic UNIX security model we will use root, on model with privileges
# like default in OpenSolaris 2008.05 we will have user with role root,
# so we will put authotized_kyes in home dir of this privileged user

###: Workarounds section start

# Workaround for OpenSolaris 2005.08 issue:
# Time start after reboot from Epoch 1.1.1970 or is even 1969 if zone is from USA
#
# zfs_mountroot() may need to call clkset() to set the boot_time kstat
# http://bugs.opensolaris.org/bugdatabase/view_bug.do?bug_id=6574993

# Time zone is by default UTC
# Move time by near actual using "date"
# Sync time with ntpdate

CURR_YEAR=`date | awk '{print \\$6}'`

if ( $CURR_YEAR < 2008 ) ; then

echo "Moving time with date to May/12 06:01 2008"
 date -u "051206012008.01"
fi

# Time is not Synchronized
# Sync time, needed for Amazon EC2 or S3 services

echo "Syncing time with ntpdate, with IP fail over "

ntpdate -v 0.north-america.pool.ntp.org stratum2.sjc1.publicntp.net
ntpdate -v 66.250.45.2 207.150.167.80 216.184.20.83 69.36.249.227
ntpdate -v time.czech.sun.com

###: Workarounds section stop

# Select user 'root' or privileged user, we use 'osol'
export USER=root
#export USER=osol

PUB_KEY_URI=http://169.254.169.254/1.0/meta-data/public-keys/0/openssh-key
PUB_KEY_FROM_HTTP=/tmp/openssh_id.pub

USER_HOME=`/usr/bin/cat /etc/passwd | /usr/bin/egrep \^${USER}: | awk -F: '{print \\$6 }'`

# If we Linuxify Solaris we will have root home at "/root", not default "/", strip empy "/"

if [ $USER_HOME =  "/" ] ; then USER_HOME= ; fi

echo "Getting authorized_keys for user '$USER' into home dir: '$USER_HOME' "

USER_AUTHORIZED_KEYS=$USER_HOME/.ssh/authorized_keys
USER_AUTHORIZED_KEYS_RECOVERY=$USER_HOME/.ssh/authorized_keys.recovery

# Keys are by SSH default in directory $root_home/.ssh
if [ ! -d $USER_HOME/.ssh ] ; then
        mkdir -p $USER_HOME/.ssh
        chmod 700 $USER_HOME/.ssh
        chown $USER $USER_HOME/.ssh
fi

echo "Tryging to get key from Amazon AVS"
# Fetch credentials... script max time (15+3)\*6 = 108s , SMF timeout for start action 160s
/usr/bin/curl --connect-timeout 15 --retry 5 --retry-delay 3 --fail -o $PUB_KEY_FROM_HTTP $PUB_KEY_URI
if [ $? -eq 0 ] ; then
        cat $PUB_KEY_FROM_HTTP > $USER_AUTHORIZED_KEYS
        rm -f $PUB_KEY_FROM_HTTP
else
        # Fallover, dirty execution
        echo "Tryging developer mode, key on extra disk (m1.small or zfs pool) /mnt/authorized_keys"
        # In case then we don't use ZFS with automount
        mount -F ufs /dev/dsk/c0d1s0 /mnt 2>&1 >/dev/null
        if [ -f /mnt/authorized_keys ] ; then
            echo "Developer mode, key found on /mnt/authorized_keys"
            cat /mnt/authorized_keys > $USER_AUTHORIZED_KEYS
        fi
fi

if [ -f $USER_AUTHORIZED_KEYS_RECOVERY ] ; then
        cat $USER_AUTHORIZED_KEYS_RECOVERY >> $USER_AUTHORIZED_KEYS
fi

# Protection agints fail with "no rights"

touch $USER_AUTHORIZED_KEYS
chmod 0600 $USER_AUTHORIZED_KEYS
chown $USER $USER_AUTHORIZED_KEYS

exit $SMF_EXIT_OK

3. Generate and backup developer ssh keypair (both DSA and RSA for ssh clients compatibility)

ssh-keygen -t dsa
Generating public/private dsa key pair.
Enter file in which to save the key (/root/.ssh/id_dsa):
/root/.ssh/id_dsa already exists.
Overwrite (yes/no)? yes
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_dsa.
Your public key has been saved in /root/.ssh/id_dsa.pub.
The key fingerprint is:
c5:c4:ee:32:9c:8d:64:d3:de:82:49:75:b4:a8:91:20 root@jsc-xen-14
ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
02:c6:3f:2b:d0:55:4c:cf:98:c2:bc:e3:5d:1b:da:af root@jsc-xen-14

Allow root login with developers keyairs cat /root/.ssh/id_rsa.pub /root/.ssh/id_dsa.pub >/root/.ssh/authorized_keys chmod 0600 /root/.ssh/authorized_keys

Move /root/.ssh/id_\* out of image to save place

Test then you can log using new DSA and RSA keys

ssh -i keypair root@hostname

4. Creating SMF service ec2ify-ident

Standard Linux script S99getsshkey is executed to late, with side effect then user see in Amazon AWS AMI as status running, can ssh to instance but can't log in.

I create SMF port of S99getsskey to 100% fix this issue.

cat ec2ident.xml
<?xml version="1.0"?>
<!DOCTYPE service_bundle SYSTEM "/usr/share/lib/xml/dtd/service_bundle.dtd.1">
<service_bundle type='manifest' name='ec2ify:ident'>

<service name='ec2ify/ident' type='service' version='1'>
        <create_default_instance enabled='true' />

        <single_instance />
        <dependency name='fs-local' grouping='require_all' restart_on='none' type='service'>
            <service_fmri value='svc:/system/filesystem/local' />
        </dependency>
        <dependency name='network-service' grouping='require_all' restart_on='none' type='service'>
            <service_fmri value='svc:/network/service' />

        </dependency>
        <exec_method type='method' name='start' exec='/opt/ec2ify/scripts/getsshkey.sh' timeout_seconds='160' />
        <exec_method type='method' name='stop' exec=':true' timeout_seconds='0' />
        <exec_method type='method' name='refresh' exec=':true' timeout_seconds='0' />
        <exec_method type='method' name='restart' exec=':true' timeout_seconds='0' />
        <property_group name='startd' type='framework'>

                <propval name='duration' type='astring' value='transient' />
        </property_group>
        <stability value='Unstable' />
        <template>
                <common_name>
                        <loctext xml:lang='C'>Amazon EC2 ec2ify ident script - loading needed SSH identity keys</loctext>

                </common_name>
        </template>
</service>
</service_bundle>

5. Register SMF service

cat smfadd-ident.sh
#!/usr/bin/sh
rm -f /var/svc/log/ec2ify-ident:default.log
/usr/sbin/svccfg validate /opt/ec2ify/scripts/ec2ident.xml
/usr/sbin/svccfg import /opt/ec2ify/scripts/ec2ident.xml
sleep 3
/usr/sbin/svcadm enable svc:/ec2ify/ident:default

6. Debug ec2ify-ident service

svcs -a | grep ec2ify
online         11:43:24 svc:/ec2ify/ident:default

svcs -l svc:/ec2ify/ident:default
fmri         svc:/ec2ify/ident:default
name         Amazon EC2 ec2ify ident script - loading needed SSH identity keys
enabled      true
state        online
next_state   none
state_time   Wed May 21 11:43:24 2008
logfile      /var/svc/log/ec2ify-ident:default.log
restarter    svc:/system/svc/restarter:default
dependency   require_all/none svc:/system/filesystem/local (online)
dependency   require_all/none svc:/network/service (online)

cat /var/svc/log/ec2ify-ident:default.log | more

7. Fix DNS name services generated from DHCP

cp /etc/nsswitch.dns /etc/nsswitch.conf
rm /etc/resolv.conf
Comments:

Post a Comment:
  • HTML Syntax: NOT allowed
About

Hands-on experience with Virtualization

Search

Categories
Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today