search

aws / aws-ec2-instance-connect-cli

This is an all-in-one client for EC2 Instance Connect that handles key brokerage and establishing connection to EC2 Instances through an interface near-identical to standard system ssh, sftp, and other utilities.
Apache License 2.0
159 stars 42 forks source link

MSSH uses all keys within the ssh-agent, rather than the generated key, causing logins to fail. #10

Closed brennentsmith closed 4 years ago

brennentsmith commented 4 years ago

Mssh only uses the -i flag, which instructs SSH to use the SSH key generated by the command. However, this still includes keys within the SSH agent and the included key is appended to the end of the list. This ends in a case such as:

ssh -v -i .ssh/mssh-test-key
...
debug1: Will attempt key: /Users/brennen/.ssh/id_rsa RSA SHA256:aq5DfI03U0cg3R2ldH1J6fkgvhhvlkiSVvwlKj3UUy4 explicit agent
debug1: Will attempt key:  RSA SHA256:KCLZa00/5k0r/+eUA4XjTy0mSK+J1VTymgCI7MoppQk agent
debug1: Will attempt key:  RSA SHA256:N0Y0a7S9D9kpRiMCWfvde1VpsfRvTdC3tZOB6AYt6C8 agent
debug1: Will attempt key:  RSA SHA256:4/uxFtPhd/pGLfgR757fTUE9hM4ugELRTbhV6uHhoe0 agent
debug1: Will attempt key:  RSA SHA256:pRB0RCJ0Vy4GsXyaWmOHNPsX2khLdYsj3FupVqN5WTw agent
debug1: Will attempt key:  RSA SHA256:m1gvgtql3w1ss+htr+PbfbYiATHCAkbuQeO8IDTWSp4 agent
debug1: Will attempt key: .ssh/mssh-test-key RSA SHA256:owkdvBu50fefHr5a79gewBpr2WH6z6WQPOwvU6aKDdc explicit

The key defined with the -i flag is added to the list last. This causes failures to login as SSH is configured on AMZN Linux to drop a connection after 5 failures.

The SSH option IdentitiesOnly=yes ensures that only the files defined in the ssh config file and the explicit identity are used. 

ssh -v -i .ssh/mssh-test-key -o "IdentitiesOnly=yes"
...
debug1: Will attempt key: /Users/brennen/.ssh/id_rsa RSA SHA256:aq5DfI03U0cg3R2ldH1J6fkgvhhvlkiSVvwlKj3UUy4 explicit agent
debug1: Will attempt key: .ssh/mssh-test-key RSA SHA256:owkdvBu50fefHr5a79gewBpr2WH6z6WQPOwvU6aKDdc explicit

This ensures that the mssh command uses the mssh generated key and does not fail.

rcj4747 commented 4 years ago

This really would be best to add. Otherwise when you get user reports of failures you can't know that it even failed with the key you're generating. I will file a bug upstream in Ubuntu (my OS of choice) to consider trying explicit keys before keys from the agent, but the cli should add '-o IdentitiesOnly=yes' to ensure the ephemeral key (and only the ephemeral key) is used for the connection.

CptTZ commented 4 years ago

Thanks for the feedback!

We are working on explicitly specifying IdentitiesOnly=yes when calling ssh, however we are still discussing internally on potential side-effects of this approach.

For a quick workaround - as mentioned in #15, you can add extra parameters and mssh will pass it to ssh, e.g. mssh ec2-user@i-1234567890abcd -o "IdentitiesOnly=yes"