Packer temporary keypair not removed from ~/.ssh/authorized_keys (AWS AMI)

[tleyden]

After I create an AMI with packer based on the Amazon Linux AMI, if I launch an instance of that AMI and ssh in, I'm seeing the temporary packer keypair in the ~/.ssh/authorized_keys file, which is a security hole. I was expecting that file to be deleted before the AMI was saved.

I was able to workaround this by explicitly deleting ~/.ssh/authorized_keys in the packer template (details below)

Packer Version

Packer v0.10.0

Host platform

CentOS Linux release 7.2.1511 (Core)

Debug log output from PACKER_LOG=1 packer build template.json.

Here is the packer output:

https://gist.github.com/tleyden/4cc13b530f08bcaef04f5233bf43daee

Sorry, I didn't do PACKER_LOG=1, but can re-run if necessary

The simplest example template and scripts needed to reproduce the bug

Template: https://github.com/couchbase/build/blob/2afdc7329faaa6a2f25befda59509b70a4a38349/scripts/jenkins/mobile/ami/sync-gateway.json

Script:
Using the Jenkins Packer plugin and passing variables into packer via:

-var 'source_ami=${source_ami}' -var 'ssh_username=${ssh_username}' -var 'couchbase_server_package_name=${couchbase_server_package_name}' -var 'couchbase_server_package_url=${couchbase_server_package_url}' -var 'couchbase_sync_gateway_package_base_url=${couchbase_sync_gateway_package_base_url}' -var 'couchbase_sync_gateway_package=${couchbase_sync_gateway_package}' -var 'couchbase_server_version=${couchbase_server_version}' -var 'couchbase_sync_gateway_version=${couchbase_sync_gateway_version}' -var 'couchbase_server_edition=${couchbase_server_edition}' -var 'sync_gateway_edition=${sync_gateway_edition}'

Workaround

I added the following provisioner to the packer template:

    {
        "type": "shell",
        "inline": [
        "rm /home/ec2-user/.ssh/authorized_keys"
        ]
    }

and after launching the AMI, it only contained the key chosen in the AWS "launch instance" wizard, and not the packer temporary keypair.

[rickard-von-essen]

Thanks for taking time reporting this.

This is how AWS works or more specific how cloud-init works. What you describe as a workaround is actually what you should do.

[tballast]

Sorry to revive a dead thread, however since I found it and then found more information from amazon I thought I'd contribute it here for others:

https://aws.amazon.com/articles/how-to-share-and-use-public-amis-in-a-secure-manner/

In short, they recommend running the following as root to remove all authorized_keys files:

find / -name "authorized_keys" -exec rm -f {} \;

Caution: The command on the linked page is using a mixture of normal dashes (-) and something else that will return errors. Typing the command manually or copying the one directly above should work.

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.