# Copyright 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved. # # Licensed under the Apache License, Version 2.0 (the "License"). You # may not use this file except in compliance with the License. A copy of # the License is located at # # http://aws.amazon.com/apache2.0/ # # or in the "license" file accompanying this file. This file is # distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF # ANY KIND, either express or implied. See the License for the specific # language governing permissions and limitations under the License. %define __spec_install_post %{nil} %define debug_package %{nil} %define __os_install_post %{_dbpath}/brp-compress %global project aws-ec2-instance-connect-config %global with_selinux 1 %global modulename ec2-instance-connect %global selinuxtype targeted Name: ec2-instance-connect Summary: EC2 instance scripting and configuration for EC2 Instance Connect Version: 1.1.17 Release: 1%{?dist} License: Apache-2.0 URL: https://github.com/aws/%{project} Source0: https://github.com/aws/%{project}/archive/%{version}/%{project}-%{version}.tar.gz # SELinux Policy Source1: %{modulename}.te Source2: %{modulename}.if Source3: %{modulename}.fc # Mentioned as v1.1.18 fix in upstream .spec but never released. Backport till upstream releases >1.1.17 Patch1: 0001-Update-curl-command-to-not-fail-silently-on-HTTP-ser.patch BuildArch: noarch BuildRequires: systemd Requires: openssh >= 6.9.0, coreutils, openssh-server >= 6.9.0, openssl, curl, systemd Requires(pre): glibc-common, shadow-utils, systemd, systemd-units Requires(post): grep, coreutils, openssh-server >= 6.9.0, systemd, systemd-units Requires(preun): systemd, systemd-units Requires(postun): shadow-utils, systemd, systemd-units %if 0%{?with_selinux} # This ensures that the *-selinux package and all its dependencies are not pulled # into containers and other systems that do not use SELinux Requires: (%{name}-selinux if selinux-policy-%{selinuxtype}) %endif %description %{summary} %if 0%{?with_selinux} # SELinux subpackage %package selinux Summary: ec2-instance-connect SELinux policy BuildArch: noarch Requires: selinux-policy-%{selinuxtype} Requires(post): selinux-policy-%{selinuxtype} BuildRequires: selinux-policy-devel %{?selinux_requires} %description selinux Custom SELinux policy module for ec2-instance-connect %endif %prep %autosetup -p1 -n %{project}-%{version} %build %if 0%{?with_selinux} # SELinux policy (originally from selinux-policy-contrib) # this policy module will override the production module mkdir selinux cp -p %{SOURCE1} selinux/ cp -p %{SOURCE2} selinux/ cp -p %{SOURCE3} selinux/ make -f %{_datadir}/selinux/devel/Makefile %{modulename}.pp bzip2 -9 %{modulename}.pp %endif %install mkdir -p %{buildroot}/%{_bindir} install -p -m 755 "%{_builddir}/%{project}-%{version}/src/bin/eic_run_authorized_keys" %{buildroot}/%{_bindir} install -p -m 755 "%{_builddir}/%{project}-%{version}/src/bin/eic_curl_authorized_keys" %{buildroot}/%{_bindir} install -p -m 755 "%{_builddir}/%{project}-%{version}/src/bin/eic_parse_authorized_keys" %{buildroot}/%{_bindir} %if 0%{?with_selinux} install -D -m 0644 %{modulename}.pp.bz2 %{buildroot}%{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}.pp.bz2 install -D -p -m 0644 selinux/%{modulename}.if %{buildroot}%{_datadir}/selinux/devel/include/distributed/%{modulename}.if %endif %if 0%{?with_selinux} # SELinux contexts are saved so that only affected files can be # relabeled after the policy module installation %pre selinux %selinux_relabel_pre -s %{selinuxtype} %post selinux %selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}.pp.bz2 %postun selinux if [ $1 -eq 0 ]; then %selinux_modules_uninstall -s %{selinuxtype} %{modulename} fi %posttrans selinux %selinux_relabel_post -s %{selinuxtype} # if with_selinux %endif %if 0%{?with_selinux} %files selinux %{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}.pp.* %{_datadir}/selinux/devel/include/distributed/%{modulename}.if %ghost %verify(not md5 size mode mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{modulename} %endif %files %doc README.md CONTRIBUTING.md CODE_OF_CONDUCT.md %license LICENSE NOTICE %attr(0755,root,root) %{_bindir}/eic_run_authorized_keys %attr(0755,root,root) %{_bindir}/eic_curl_authorized_keys %attr(0755,root,root) %{_bindir}/eic_parse_authorized_keys %pre # Create/configure system user %{_bindir}/getent passwd ec2-instance-connect || %{_sbindir}/useradd -r -M -s %{_sbindir}/nologin ec2-instance-connect %{_sbindir}/usermod -L ec2-instance-connect %post modified=1 # Configure sshd to use EC2 Instance Connect's AuthorizedKeysCommand EXEC_OVERRIDE='ExecStart=%{_sbindir}/sshd -D -o "AuthorizedKeysCommand %{_bindir}/eic_run_authorized_keys %%%%u %%%%f" -o "AuthorizedKeysCommandUser ec2-instance-connect" $SSHD_OPTS' # If there is nothing in the AuthorizedKeysCommand field of sshd_config *and* nothing in any sshd override, add our config if ! %{_bindir}/grep -q '^[^#]*AuthorizedKeysCommand[[:blank:]]\+.*$' %{_sysconfdir}/ssh/sshd_config ; then if ! %{_bindir}/grep -q '^[^#]*AuthorizedKeysCommandUser[[:blank:]]\+.*$' %{_sysconfdir}/ssh/sshd_config ; then if ! %{_bindir}/grep -q '^[^#]*AuthorizedKeysCommandRunAs[[:blank:]]\+.*$' %{_sysconfdir}/ssh/sshd_config ; then # If systemd unit contains AKC don't override it if ! %{_bindir}/grep -q "AuthorizedKeysCommand" %{_prefix}/lib/systemd/system/sshd.service ; then can_modify=1 if [ -d %{_libdir}/systemd/system/sshd.service.d ] ; then # If *any* override contains an ExecStart, don't override it if ! %{_bindir}/grep -Rq "ExecStart" %{_prefix}/lib/systemd/system/sshd.service.d/ ; then can_modify=0 fi else # Or there are no overrides %{_bindir}/mkdir %{_prefix}/lib/systemd/system/sshd.service.d can_modify=0 fi if [ $can_modify -eq 0 ] ; then # Add our configuration %{_bindir}/printf "%s\n%s\n%s\n" "[Service]" "ExecStart=" "${EXEC_OVERRIDE}" > %{_prefix}/lib/systemd/system/sshd.service.d/ec2-instance-connect.conf modified=0 fi fi fi fi fi if [ $modified -eq 0 ] ; then # Restart sshd systemctl daemon-reload if %{_bindir}/systemctl is-active --quiet sshd ; then %{_bindir}/systemctl restart sshd fi fi %preun if [ $1 -eq 0 ] ; then modified=1 # Remove EC2 Instance Connect sshd override if present if [ -f %{_prefix}/lib/systemd/system/sshd.service.d/ec2-instance-connect.conf ] ; then %{_bindir}/rm -f %{_prefix}/lib/systemd/system/sshd.service.d/ec2-instance-connect.conf if [ -z "$(ls -A %{_prefix}/lib/systemd/system/sshd.service.d)" ] ; then # There were no other overrides, clean up %{_bindir}/rmdir %{_prefix}/lib/systemd/system/sshd.service.d fi modified=0 fi # Restart sshd if [ $modified -eq 0 ] ; then %{_bindir}/systemctl daemon-reload if %{_bindir}/systemctl is-active --quiet sshd ; then %{_bindir}/systemctl restart sshd fi fi fi %postun if [ $1 -eq 0 ] ; then # Delete system user %{_sbindir}/userdel ec2-instance-connect fi %changelog * Mon Apr 8 2024 Dominik Wombacher 1.1.17-1 - Initial package - Fix: Update curl command to not fail silently on HTTP server error. * Mon May 9 2022 Jacob Meisler 1.1-17 - OpenSSL 3.0.2 breaks strict x509 verification for one of our intermediate CA certificates. - Only verify CA certificates that aren't already trusted in /etc/ssl/certs. - OpenSSL 3.0.2 also changes the formatting of the SHA1 fingerprint of an x509 certificate. Switch to a case insensitive match to be backwards and forwards compatible between OpenSSL versions. * Thu Sep 9 2021 Vishrutha Konappa Reddy 1.1-15 - Change EIC Hostkeys Harvesting to be asynchronous from SSHD to improve instance boot time - Rename and enable ec2-instance-connect-harvest-hostkeys.service. Remove pointer to old ec2-instance-connect.service. * Fri Feb 26 2021 Paul Oh 1.1-14 - Ensure failure to run host key harvesting does not leave instances in degraded state * Thu Oct 22 2020 Jacob Meisler 1.1-13 - Verify that domain returned from IMDS is an AWS domain * Tue Nov 19 2019 Daniel Anderson 1.1-12 - Adding support for Instance Metadata Service Version 2 - Modifying cURL invocation to avoid need for eval - Cleaning up shellcheck catches * Wed Aug 21 2019 Daniel Anderson 1.1-11 - Removing errant write to /tmp - Cleaning up bad bash practices, including umask race condition * Wed Jul 3 2019 Daniel Anderson 1.1-10 - Fix for an update to openssl (or dependencies) affecting behavior of CApath option on openssl verify - Fixing Nitro behavior of hostkey harvesting and post-installation systemd hooks * Wed May 15 2019 Daniel Anderson 1.1-9 - Fixing existing AuthorizedKeysCommand detection - Adding additional licensing headers - Improved mechanism for detection if script is running on an EC2 instance * Wed Apr 24 2019 Daniel Anderson 1.1-8 - Better detection of existing user customization * Fri Mar 29 2019 Daniel Anderson 1.1-7 - Change to Amazon Linux configuration * Wed Mar 20 2019 Daniel Anderson 1.1-6 - Verification of EC2 hypervisor UUID * Fri Mar 15 2019 Daniel Anderson 1.1-5 - Added slightly stronger checks that we're getting valid data from Instance Metadata Service/on an instance * Wed Jan 30 2019 Daniel Anderson 1.1-4 - Fixed a bug in reading instance-identity credentials as part of hostkey harvesting and dropped AWS CLI dependency - Added support for non-Amazon Linux yum distributions, such as RHEL and CentOS - Hardened error handling * Fri Dec 21 2018 Daniel Anderson 1.1-3 - Fixing an issue with the hostkey harvesting script - it was using default creds instead of instance-identity * Fri Dec 7 2018 Daniel Anderson 1.1-2 - Minor changes to package build process to share code with Debian packaging * Tue Oct 23 2018 Anshumali Prasad 1.1-1 - Hostkey harvesting for EC2 Instance Connect. * Mon Oct 22 2018 Daniel Anderson 1.0-3 - Updating exit status on no-data case, improving support for newer openssl versions * Tue Oct 9 2018 Daniel Anderson 1.0-2 - Cleaning up package requirements & post installation hook * Wed Jun 13 2018 Daniel Anderson 1.0-1 - Initial RPM build for EC2 Instance Connect targeting Amazon Linux 2.