CentOS error: authorized_keys_command.sh status 255

Question

CentOS error: authorized_keys_command.sh status 255

aindenko opened this issue 7 years ago · 6 comments

Hi,

I'm testing aws-ec2-ssh on CentOS 7 AMI and getting this error from sshd log:
error: AuthorizedKeysCommand /usr/bin/authorized_keys_command.sh xxxxxxxxx failed, status 255.
When I run /usr/bin/authorized_keys_command.sh xxxxxxx manually it just returns public key as expected.
Sync users script works fine, my user created and has sudo access as expected.

Additional information:
OS: CentOS 7 from AWS Marketplace with latest packages
AWS CLI: installed from EPEL aws-cli/1.11.133 Python/2.7.5 Linux/3.10.0-693.2.2.el7.x86_64 botocore/1.6.0

Answer 1 · 2017-10-16T09:52:25.000Z

Hi @aindenko We only support Amazon Linux or Ubuntu at this time.

Maybe the access rights are not right. "The program must be owned by root, not writable by group or others" so chmod 755 /usr/bin/authorized_keys_command.sh could solve that

Answer 2 · 2017-10-16T10:06:15.000Z

Hi @michaelwittig :) I know that CentOS not supported. We use this package with Amazon Linux now and I'm just trying create same setup at CentOS machine. 755 doesn't help. I'm just wondered about what would be different between manual and sshd run. In order to debug issue, I've just put random exit codes inside script and saw them in sshd log. So sshd has correct access, so I still assume something wrong with aws cli setup. Will come back when I find that problem.

Answer 3 · 2017-10-16T10:15:13.000Z

you could include the printenv command in the authorized_keys_command.sh file and compare the env variables between manual invocation and cron invocation.

Answer 4 · 2017-10-16T10:16:03.000Z

good point, thx!

Answer 5 · 2017-10-16T13:01:05.000Z

@michaelwittig after some investigation problem was found. AWL CLI couldn't read metadata because port 80 is closed for SSH daemon. Problem is SELinux https://wiki.gentoo.org/wiki/SELinux/Tutorials/Permissive_versus_enforcing. After switching to permissive mode everything works. So what do you think about it? Is it safe just disable it ? In my case it is not mission critical part of infrastructure, but what would be recommended approach?

Answer 6 · 2017-10-17T09:30:25.000Z

I have no idea. Maybe the person who wrote the rule for SELinux can tell you. I will close this issue for now.