Virtual Guru's Blog – Home of Virtualization Workshops

May 21, 2008

ec2ify:ident 5 required steps to login into instance

Filed under: amazon_aws, cloud, opensolaris, Virtualization — natiku @ 4:51 am

Based on my previous Linux on Amazon AWS experience I define 5 required Solaris ec2ify steps:

This entry is part of ‘OpenSolaris on Amazon EC2’ workshop

1) Update openssh configurations for Amazon AWS ssh keypair access
2) Fix DNS name services and DHCP, if needed
3) Fix system time with ntpdate
4) Get instance of ssh keypair
5) Get devel / recovery key if exist and getting Amazon Key fail

PS: For image creation we need also cleanup phase (script ?) : delete sensitive data, zero unused space for better compression, clear shutdown. I will address this issues separate section later.

Amazon EC2 use for login SSH privare/public keypair infrastructure, user starting it’s instances is identified by keypair he start instance with, so users public key must downloaded from user account on instance start.

Is common then SSH login user is root, but it can be any user, for security reasons Amazon also recommend to disable password based logins in ssh for root user.

Actual version of ec2ify stuff is on your image on /opt/ec2ify/

1. Setting up ssh and sshd configs

Instead of UseDNS use in Solaris 10+ LookupClientHostnames

In /etc/ssh/sshd_configs edit/add lines
PermitRootLogin without-password
RSAAuthentication yes
LookupClientHostnames no
GSSAPIAuthentication no
GSSAPIKeyExchange no
GSSAPIStoreDelegatedCredentials no
In (/etc/ssh/ssh_config) edit/add files
GSSAPIAuthentication no
GSSAPIKeyExchange no
svcadm restart ssh

2. Create script which will get kaypair on OS boot

# !!! This script is running under SMF, use full paths for executables/scripts !!!
# Retrieve the keypair credentials from Amazon AWS instance meta-data.
# Port to Solaris 10 SMF, privileged user and local developer keys on /mnt
# Fetch any credentials presented at launch time and add them to root's public keys
# If connection to Amazon AWS timeout, try to use local developer keys
# Also recovery added for fail over when developing directly on Amazon AWS
.  /lib/svc/share/
# Becuase we are providig shared images we will delete original authotized_kyes
# In case then it is your private AMI you can specify authorized_key.recovery
# and it will be added
# For clasic UNIX security model we will use root, on model with privileges
# like default in OpenSolaris 2008.05 we will have user with role root,
# so we will put authotized_kyes in home dir of this privileged user
###: Workarounds section start
# Workaround for OpenSolaris 2005.08 issue:
# Time start after reboot from Epoch 1.1.1970 or is even 1969 if zone is from USA
# zfs_mountroot() may need to call clkset() to set the boot_time kstat
# Time zone is by default UTC
# Move time by near actual using "date"
# Sync time with ntpdate
CURR_YEAR=`date | awk '{print \$6}'`
if ( $CURR_YEAR < 2008 ) ; then
echo "Moving time with date to May/12 06:01 2008"
date -u "051206012008.01"
# Time is not Synchronized
# Sync time, needed for Amazon EC2 or S3 services
echo "Syncing time with ntpdate, with IP fail over "
ntpdate -v
ntpdate -v
ntpdate -v
###: Workarounds section stop
# Select user 'root' or privileged user, we use 'osol'
export USER=root
#export USER=osol
USER_HOME=`/usr/bin/cat /etc/passwd | /usr/bin/egrep ^${USER}: | awk -F: '{print \$6 }'`
# If we Linuxify Solaris we will have root home at "/root", not default "/", strip empy "/"
if [ $USER_HOME =  "/" ] ; then USER_HOME= ; fi
echo "Getting authorized_keys for user '$USER' into home dir: '$USER_HOME' "
# Keys are by SSH default in directory $root_home/.ssh
if [ ! -d $USER_HOME/.ssh ] ; then
mkdir -p $USER_HOME/.ssh
chmod 700 $USER_HOME/.ssh
chown $USER $USER_HOME/.ssh
echo "Tryging to get key from Amazon AVS"
# Fetch credentials... script max time (15+3)*6 = 108s , SMF timeout for start action 160s
/usr/bin/curl --connect-timeout 15 --retry 5 --retry-delay 3 --fail -o $PUB_KEY_FROM_HTTP $PUB_KEY_URI
if [ $? -eq 0 ] ; then
# Fallover, dirty execution
echo "Tryging developer mode, key on extra disk (m1.small or zfs pool) /mnt/authorized_keys"
# In case then we don't use ZFS with automount
mount -F ufs /dev/dsk/c0d1s0 /mnt 2>&1 >/dev/null
if [ -f /mnt/authorized_keys ] ; then
echo "Developer mode, key found on /mnt/authorized_keys"
cat /mnt/authorized_keys > $USER_AUTHORIZED_KEYS
# Protection agints fail with "no rights"

3. Generate and backup developer ssh keypair (both DSA and RSA for ssh clients compatibility)

ssh-keygen -t dsa
Generating public/private dsa key pair.
Enter file in which to save the key (/root/.ssh/id_dsa):
/root/.ssh/id_dsa already exists.
Overwrite (yes/no)? yes
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_dsa.
Your public key has been saved in /root/.ssh/
The key fingerprint is:
c5:c4:ee:32:9c:8d:64:d3:de:82:49:75:b4:a8:91:20 root@jsc-xen-14
ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/
The key fingerprint is:
02:c6:3f:2b:d0:55:4c:cf:98:c2:bc:e3:5d:1b:da:af root@jsc-xen-14

Allow root login with developers keyairs
cat /root/.ssh/ /root/.ssh/ >/root/.ssh/authorized_keys
chmod 0600 /root/.ssh/authorized_keys

Move /root/.ssh/id_* out of image to save place

Test then you can log using new DSA and RSA keys

ssh -i keypair root@hostname

4. Creating SMF service ec2ify-ident

Standard Linux script S99getsshkey is executed to late, with side effect then user see in Amazon AWS AMI as status running, can ssh to instance but can’t log in.

I create SMF port of S99getsskey to 100% fix this issue.

cat ec2ident.xml
<?xml version="1.0"?>
<!DOCTYPE service_bundle SYSTEM "/usr/share/lib/xml/dtd/service_bundle.dtd.1">
<service_bundle type='manifest' name='ec2ify:ident'>
<service name='ec2ify/ident' type='service' version='1'>
<create_default_instance enabled='true' />
<single_instance />
<dependency name='fs-local' grouping='require_all' restart_on='none' type='service'>
<service_fmri value='svc:/system/filesystem/local' />
<dependency name='network-service' grouping='require_all' restart_on='none' type='service'>
<service_fmri value='svc:/network/service' />
<exec_method type='method' name='start' exec='/opt/ec2ify/scripts/' timeout_seconds='160' />
<exec_method type='method' name='stop' exec=':true' timeout_seconds='0' />
<exec_method type='method' name='refresh' exec=':true' timeout_seconds='0' />
<exec_method type='method' name='restart' exec=':true' timeout_seconds='0' />
<property_group name='startd' type='framework'>
<propval name='duration' type='astring' value='transient' />
<stability value='Unstable' />
<loctext xml:lang='C'>Amazon EC2 ec2ify ident script - loading needed SSH identity keys</loctext>

5. Register SMF service

rm -f /var/svc/log/ec2ify-ident:default.log
/usr/sbin/svccfg validate /opt/ec2ify/scripts/ec2ident.xml
/usr/sbin/svccfg import /opt/ec2ify/scripts/ec2ident.xml
sleep 3
/usr/sbin/svcadm enable svc:/ec2ify/ident:default

6. Debug ec2ify-ident service

svcs -a | grep ec2ify
online         11:43:24 svc:/ec2ify/ident:default
svcs -l svc:/ec2ify/ident:default
fmri         svc:/ec2ify/ident:default
name         Amazon EC2 ec2ify ident script - loading needed SSH identity keys
enabled      true
state        online
next_state   none
state_time   Wed May 21 11:43:24 2008
logfile      /var/svc/log/ec2ify-ident:default.log
restarter    svc:/system/svc/restarter:default
dependency   require_all/none svc:/system/filesystem/local (online)
dependency   require_all/none svc:/network/service (online)
cat /var/svc/log/ec2ify-ident:default.log | more

7. Fix DNS name services generated from DHCP

cp /etc/nsswitch.dns /etc/nsswitch.conf
rm /etc/resolv.conf

Leave a Comment »

No comments yet.

RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

Create a free website or blog at

%d bloggers like this: