Bug 785193

/etc/rc.local creates /root/.ssh/authorized_keys based on the user supplied keypair. However, it does so only if the /root/.ssh/authorized_keys does not already exist.

In the case of rebundling an AMI, the rebundler must remember to remove the authorized_keys file otherwise the keypair used to launch the rebundled AMI will not work.

By contrast, Fedora AMIs (via rc.local) use an ec2-user account and always append the current keypair to its authorized_keys file. Also, the Amazon Linux AMIs (via cloud-init) use an ec2-user account and append the current keypair.

RFE - Honor the instance owner's request for keypair access. For public AMI rebundling, it is still the responsibility of the rebundler to create an attractive AMI, which involves removing their credentials.


AWS Recommendations -

http://docs.amazonwebservices.com/AWSEC2/latest/UserGuide/AESDG-chapter-sharingamis.html#public-amis-install-credentials

Install Public Key Credentials

After configuring the AMI to prevent logging in using a password, you must make sure users can log in using another mechanism.

Amazon EC2 allows users to specify a public-private key pair name when launching an instance. When a valid key pair name is provided to the RunInstances API call (or through the command line API tools), the public key (the portion of the key pair that Amazon EC2 retains on the server after a call to CreateKeyPair or ImportKeyPair) is made available to the instance through an HTTP query against the instance metadata.

To login through SSH, your AMI must retrieve the key value at boot and append it to /root/.ssh/authorized_keys (or the equivalent for any other user account on the AMI). Users will be able to launch instances of your AMI with a key pair and log in without requiring a root password.

if [ ! -d /root/.ssh ] ; then
        mkdir -p /root/.ssh
        chmod 700 /root/.ssh
fi
# Fetch public key using HTTP
curl http://169.254.169.254/latest//meta-data/public-keys/0/openssh-key > /tmp/my-key
if [ $? -eq 0 ] ; then
        cat /tmp/my-key >> /root/.ssh/authorized_keys
        chmod 700 /root/.ssh/authorized_keys
        rm /tmp/my-key
fi
This can be applied to any user account; you do not need to restrict it to root.

	Note
Rebundling an instance based on this image includes the key with which it was launched. To prevent the key's inclusion, you must clear out (or delete) the authorized_keys file or exclude this file from rebundling.



Current RHEL AMI (EL6.1) rc.local code -

ATTEMPTS=5
FAILED=0
# Fetch public key using HTTP
while [ ! -f /root/.ssh/authorized_keys ]; do
    curl -f http://169.254.169.254/latest/meta-data/public-keys/0/openssh-key > /tmp/aws-key 2>/dev/null
    if [ $? -eq 0 ]; then
        cat /tmp/aws-key >> /root/.ssh/authorized_keys
        chmod 0600 /root/.ssh/authorized_keys
        restorecon /root/.ssh/authorized_keys
        rm -f /tmp/aws-key
        echo "Successfully retrieved AWS public key from instance metadata"
    else
        FAILED=$(($FAILED + 1))
        if [ $FAILED -ge $ATTEMPTS ]; then
            echo "Failed to retrieve AWS public key after $FAILED attempts, quitting"
            break
        fi
        echo "Could not retrieve AWS public key (attempt #$FAILED/$ATTEMPTS), retrying in 5 seconds..."
        sleep 5
    fi
done


Current Fedora AMI (F15) rc.local code -

curl http://169.254.169.254/2009-04-04/meta-data/public-keys/0/openssh-key 2>/dev/null >/tmp/my-key

if [ $? -eq 0 ] ; then
   for home in `find /home/* -maxdepth 0 -type d 2>/dev/null | tr '\n' ' '`; do
       user=`echo $home | awk -F '/' '{ print $3 }'`

       if [ ! -d $home/.ssh ] ; then
            mkdir -p $home/.ssh
            chmod 700 $home/.ssh
            chown $user $home/.ssh
        fi

       cat /tmp/my-key >> $home/.ssh/authorized_keys
       chmod 600 $home/.ssh/authorized_keys
       chown $user $home/.ssh/authorized_keys

   done
   rm /tmp/my-key
fi