Packer: Packer temporary keypair not removed from ~/.ssh/authorized_keys (AWS AMI)

Created on 3 Aug 2016  ยท  3Comments  ยท  Source: hashicorp/packer

After I create an AMI with packer based on the Amazon Linux AMI, if I launch an instance of that AMI and ssh in, I'm seeing the temporary packer keypair in the ~/.ssh/authorized_keys file, which is a security hole. I was expecting that file to be deleted before the AMI was saved.

I was able to workaround this by explicitly deleting ~/.ssh/authorized_keys in the packer template (details below)

Packer Version

Packer v0.10.0

Host platform

CentOS Linux release 7.2.1511 (Core)

Debug log output from PACKER_LOG=1 packer build template.json.

Here is the packer output:

https://gist.github.com/tleyden/4cc13b530f08bcaef04f5233bf43daee

Sorry, I didn't do PACKER_LOG=1, but can re-run if necessary

The _simplest example template and scripts_ needed to reproduce the bug

Template: https://github.com/couchbase/build/blob/2afdc7329faaa6a2f25befda59509b70a4a38349/scripts/jenkins/mobile/ami/sync-gateway.json

Script:
Using the Jenkins Packer plugin and passing variables into packer via:

-var 'source_ami=${source_ami}' -var 'ssh_username=${ssh_username}' -var 'couchbase_server_package_name=${couchbase_server_package_name}' -var 'couchbase_server_package_url=${couchbase_server_package_url}' -var 'couchbase_sync_gateway_package_base_url=${couchbase_sync_gateway_package_base_url}' -var 'couchbase_sync_gateway_package=${couchbase_sync_gateway_package}' -var 'couchbase_server_version=${couchbase_server_version}' -var 'couchbase_sync_gateway_version=${couchbase_sync_gateway_version}' -var 'couchbase_server_edition=${couchbase_server_edition}' -var 'sync_gateway_edition=${sync_gateway_edition}'

Workaround

I added the following provisioner to the packer template:

    {
        "type": "shell",
        "inline": [
        "rm /home/ec2-user/.ssh/authorized_keys"
        ]
    }

and after launching the AMI, it only contained the key chosen in the AWS "launch instance" wizard, and not the packer temporary keypair.

buildeamazon invalid
Source
picture tleyden
👍3

Most helpful comment

Thanks for taking time reporting this.

This is how AWS works or more specific how cloud-init works. What you describe as a workaround is actually what you should do.

picture rickard-von-essen on 3 Aug 2016
👍4

All 3 comments

Thanks for taking time reporting this.

This is how AWS works or more specific how cloud-init works. What you describe as a workaround is actually what you should do.

rickard-von-essen picture rickard-von-essen on 3 Aug 2016
👍4

Sorry to revive a dead thread, however since I found it and then found more information from amazon I thought I'd contribute it here for others:

https://aws.amazon.com/articles/how-to-share-and-use-public-amis-in-a-secure-manner/

In short, they recommend running the following as root to remove all authorized_keys files:

find / -name "authorized_keys" -exec rm -f {} \;

Caution: The command on the linked page is using a mixture of normal dashes (-) and something else that will return errors. Typing the command manually or copying the one directly above should work.

tballast picture tballast on 17 Oct 2019
👍1

I'm going to lock this issue because it has been closed for _30 days_ โณ. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

hashibot[bot] picture hashibot[bot] on 23 Jan 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

s4mur4i picture s4mur4i  ยท  3Comments
shantanugadgil picture shantanugadgil  ยท  3Comments
sourav82 picture sourav82  ยท  3Comments
znerd picture znerd  ยท  3Comments
Nikoos picture Nikoos  ยท  3Comments