Comments (12)
I should clarify, while this policy serves as a good reference we are not currently working on including it the SELinux policy into the package itself. There are broader implications to consider about changing the sshd security policy (particularly granting it curl and ssh-keygen access).
That said, RHEL support is high on our radar and we are evaluating our options for support.
from aws-ec2-instance-connect-config.
Aha! Did a bit of digging with audit.log and found the issue. On EL8 the ssh-keygen invocation was failing on map permission - adding it to the file type and the ssh_keygen_exec_t:file domain got things working.
from aws-ec2-instance-connect-config.
Also just ran into this on Amazon Linux 2 while testing a CIS-benchmarked image. Thanks @n0coast for posting a comment with that error message, I don't know how long it would've taken me to find this otherwise!
from aws-ec2-instance-connect-config.
Finally got tasked to create our RHEL8 and CentOS8 AMIs for a couple of our customers. So, need to revisit the status of this. I can bake creation of policies into our AMI-generation process …but would be so much easier if the packaging of InstanceConnect just included things.
Any anticipated timeframe, yet, for sorting the SELinux policies out and including them in the RPM?
from aws-ec2-instance-connect-config.
I've run into this on Amazon Linux 2 as well, with selinux enabled instance connect fails - with the definition @ferricoxide provided at the top of the thread applied instance connect works again.
For the moment I can bake this into my AMIs, but it'd be great if this was just included with the rpm - or at least noted in documentation.
As a side note the only indication of this issue is a message in /var/log/secure
: sshd[4287]: error: AuthorizedKeysCommand /opt/aws/bin/eic_run_authorized_keys ec2-user SHA256:...... failed, status 7
As of early November '19 if you are running this on AZ2 you'll need to systemctl enable rhel-autorelabel
(which is owned by the initscripts rpm).
from aws-ec2-instance-connect-config.
Hm, in testing I noticed that when sshd invoked the AuthorizedKeysCommand that fingerprint calculation was now returning an empty string. Removing the cut (ie, so there was no piping) caused the set -e to capture an exit status 139 from ssh-keygen. Manually invoking the command and/or switching sshd_t's domain to permissive let it succeed, so it's definitely a missing allow somewhere.
I can say for certain it's not on ssh_keygen_t/ssh_keygen_exec_t's domains - flipping those to permissive doesn't change behavior at all.
from aws-ec2-instance-connect-config.
K. I'll dig back through. Those were the ones that were creating AVCs on my CentOS 7.6 with this week's patches applied.
from aws-ec2-instance-connect-config.
Might be sufficient on the 7's then, I was testing on a fresh RHEL8 instance. I'd prefer if we can figure out a single succifient entry rather than needing to split things more.
from aws-ec2-instance-connect-config.
Unfortunately, my customer only authorizes EL7 (and EL6, euw) for their cloud-based deployments. My plans are to keep ahead of the curve and move to EL8 long before the STIGs come out. However, I'm trying to wait to switch till I've re-upped my RHCE on EL7 (and also prefer to wait until I can upgrade my VPS to CentOS 8).
Long-winded way of offering to help with EL7 stuff pending any future ability to help with EL8. :)
from aws-ec2-instance-connect-config.
Just trying to stay abreast of things: any additional input (etc.) you need from me?
from aws-ec2-instance-connect-config.
@ferricoxide Thanks for including the error message in a high-quality issue – I ran into this while searching through SELinux logs and while I was able to resolve it by having Ansible remove the ec2-instance-connect
because this particular project doesn't use public IPs that won't be true of some of the other projects which I support.
from aws-ec2-instance-connect-config.
What a bummer this wasn't incorporated into the project. Luckily you made this issue and I was able to incorporate it into my AMI build.
from aws-ec2-instance-connect-config.
Related Issues (20)
- Issue with openssl v1.1.1 HOT 2
- Got "Permission denied (publickey)" after "Successfully pushed the public key" HOT 3
- Please provide better documentation, preferably manpages
- Makefiles requested HOT 2
- metadata gives SHA256 for OCSP, but ec2-instance-connect only verify by SHA 1 and cause ALL connections refused HOT 2
- eic_harvest_hostkeys fails in local zones HOT 8
- Permission denied (publickey) error despite public key sucessfully pushed to instance
- Secret key HOT 3
- No import users ala aws-ec2-ssh ? HOT 1
- Permission Denied after "Successfully pushed the public key" HOT 6
- Support EC2 Mac Instances
- using on host with no internet access HOT 1
- VPC endpoint support ? HOT 3
- Key trust verification fails on Ubuntu 22.04 HOT 6
- `eic_curl_authorized_keys` returns incorrect exit code in some cases
- 'make rpm' fails after the removal of host key harvesting HOT 2
- Publishing RPM packages for RedHat and CentOS? HOT 2
- Unable to connect to EC2 instance HOT 1
- RPM spec file should not build requires systemd
- Support creating users on login HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from aws-ec2-instance-connect-config.