Public bug reported: Binary package hint: cloud-init
The EC2/UEC images currently allow users to ssh to root@ but do not give the user shell access. Instead, a helpful message is displayed to the user explaining they need to ssh to ubuntu@ and they are disconnected after 10 seconds. This is done with the following prefix in /root/.ssh/authorized_keys: command="echo 'Please login as the user \"ubuntu\" rather than the user \"root\".';echo;sleep 10" ssh-rsa ... The goal here is to prevent the user from having any serious access at all through root@ and to just be a helpful pointer for people who assume all EC2 AMIs are set up to allow ssh to root@ Users may change the ssh keys associated with /home/ubuntu/.ssh/authorized_keys and not know about or forget about the fact that there is some access also granted through /root/.ssh/authorized_keys The way that the /root/.ssh/authorized_keys file is currently implemented, an authorized user is blocked from shell access, but is granted some other permissions like doing port forwarding through the instance to anywhere that instance can connect. Hosts it connects to would also perceive the connection as coming from the instance. These additional permissions should be blocked in /root/.ssh/authorized_keys by adding qualifiers like: no-port-forwarding,no-agent-forwarding,no-X11-forwarding,no-pty These particular directives are based on best practices using subversion command= with ssh. The resulting prefix would then look like: command="echo 'Please login as the user \"ubuntu\" rather than the user \"root\".';echo;sleep 10",no-port-forwarding,no-agent- forwarding,no-X11-forwarding,no-pty ssh-rsa ... See the "command=" section in "man authorized_keys" for more details. ProblemType: Bug DistroRelease: Ubuntu 11.04 Package: cloud-init 0.6.1-0ubuntu8 ProcVersionSignature: User Name 2.6.38-8.42-virtual 2.6.38.2 Uname: Linux 2.6.38-8-virtual i686 Architecture: i386 Date: Fri Jun 17 02:08:02 2011 Ec2AMI: ami-06ad526f Ec2AMIManifest: (unknown) Ec2AvailabilityZone: us-east-1d Ec2InstanceType: m1.small Ec2Kernel: aki-407d9529 Ec2Ramdisk: unavailable PackageArchitecture: all ProcEnviron: LANG=en_US.UTF-8 SHELL=/bin/bash SourcePackage: cloud-init UpgradeStatus: No upgrade log present (probably fresh install) ** Affects: cloud-init (Ubuntu) Importance: Undecided Status: New ** Tags: apport-bug ec2-images i386 natty -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/798505 Title: Tighten permissions on root@ ssh with EC2/UEC images To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cloud-init/+bug/798505/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs