authorized_keys_command is not working

Question

authorized_keys_command is not working

sohel2020 opened this issue 7 years ago · 5 comments

sohel2020 commented 7 years ago

Operating System: ubuntu 14.04
AWS CLI Version: aws-cli/1.14.16 Python/2.7.6 Linux/3.13.0-135-generic botocore/1.8.20
SSHD Version: OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.8, OpenSSL 1.0.1f 6 Jan 2014

I'm unable to login my server but failed.
ssh debug log:
debug3: Running AuthorizedKeysCommand: "/opt/authorized_keys_command.sh tarikur" as "nobody"
debug1: restore_uid: 0/0
debug1: temporarily_use_uid: 65534/65534 (e=0/0)
debug2: key not found
debug1: restore_uid: 0/0
debug1: temporarily_use_uid: 1008/1009 (e=0/0)

But when I run /opt/authorized_keys_command.sh tarikur from terminal it's returning my public key. so the script is working.

Answer 1 · 2017-12-27T10:57:51.000Z

Can you run the steps described in #100 to debug this?

Answer 2 · 2017-12-27T11:30:53.000Z

@michaelwittig thanks. Problem is solved. Problem was I use my aws access key and secret access key using using aws configure command as root user. But when I have attached iam profile it started working.

But If I want to use this in non aws env (like my baremetal server) where iam profile does not support. How can i use it???

Answer 3 · 2017-12-27T14:26:05.000Z

From a first glance, consider the following line:

debug3: Running AuthorizedKeysCommand: "/opt/authorized_keys_command.sh tarikur" as "nobody"

If you configure your AWS access key and secret as root, the system will not be able to assume that identity when calling AWS services, as sshd calls /opt/authorized_keys_command.sh as nobody.

To support this outside of AWS (and call AWS IAM as your directory server), you would likely need to find a way to configure user nobody to have a service account credential stored and accessible when sshd calls the command script.

Do note that this is likely outside of the project scope, but that is for @michaelwittig to ultimately decide.

Off the top of my head, some ways you could support this with the existing code here outside of EC2 and a specific service account in IAM for the bare metal machine:

Store the environment variables inside the script. I'm not a personal fan of this idea, since it's trivial to be able to read and execute the script and get the credentials. It also requires that you modify the script (which may or may not matter to you).
Store the variables in the system profile. I'm not a personal fan of this idea either, since this assigns the IAM account to everyone who uses the bare metal system, which makes traceability of actions nigh impossible. (Again, your mileage may vary)
Store the variables in the AuthorizedKeysCommand setting in sshd_config. You'd need to protect your sshd_config from being read by non-root users, but that is possible to do without impacting the service.
Have a service account with your IAM credentials and try using the AuthorizedKeysCommandRunAs (or AuthorizedKeysCommandUser) directive in sshd_config. This strikes me as the "least bad" of the options, but care should be taken that a) You have the directive available in your version of OpenSSH, and b) PAM doesn't override that setting.

Answer 4 · 2017-12-27T15:49:47.000Z

as @KusabiSensei said, this project provides a way to "Use your IAM user's public SSH key to get access via SSH to an EC2 instance"

I would like to add this to @KusabiSensei lists:

Fake a metadata server in the data center to get access to credentials which is not too difficult to achieve and you don't have to store the secrets on the machines.

Answer 5 · 2018-01-17T16:03:40.000Z

@sohel2020 any news on this issue?