search

aws / aws-ec2-instance-connect-config

This is the ssh daemon configuration and necessary EC2 instance scripting to enable EC2 Instance Connect. Also included is various package manager configurations for packaging for various Linux distributions.
Apache License 2.0
83 stars 35 forks source link

Issue with openssl v1.1.1 #22

Closed richjamesgreen closed 3 years ago

richjamesgreen commented 4 years ago

We have an issue with using ec2-instance-connect v1.1.11 on a CentOS 7.8.2003 server since a requirement to upgrade openssl to v1.1.1g

We used this guide to update openssl: https://cloudwafer.com/blog/installing-openssl-on-centos-7/

Before this update our openssl was on v1.0.2 and ec2-instance-connect all was working correctly. Since then we can see that the key is being successfully pushed up in to the instance metadata but when we try to connect we are denied and get the following error in /var/log/secure

Jun 22 14:42:54 ip-x-x-x-x sshd[6745]: error: AuthorizedKeysCommand /opt/aws/bin/eic_run_authorized_keys <username> SHA256:FOZI43gB/86B9VuWfghrhWHPExPq4IXHzmWm8fFYYmA failed, status 1

We do have SELinux enforcing but are using the recommended policy #2 to allow. We have tested setting SELinux to permissive but we still encounter the same issue.

I’ve also tried updating to v1.1.12 of ec2-instance-connect but still no joy.

I note that there is a comment here https://github.com/aws/aws-ec2-instance-connect-config/blob/47de50509ed43f0c294513841739afb059d5900e/src/bin/eic_parse_authorized_keys#L171 RE openssl v1.1.1 but not sure if this is related.

Has anyone else had an issue using this with openssl v1.1.1?

ohitspaul commented 3 years ago

Hello @richjamesgreen - is this still a concern for you? EIC does not explicitly support CentOS and SELinux at this time.

richjamesgreen commented 3 years ago

Hi @ohitspaul thanks for replying - we haven't resolved this issue exactly but are no longer using ec2-instance-connect so it is no longer a priority.