Add dependency check to install script

[laurikimmel]

Metadata:

• Operating System: Debian 8.10
• Installation method: install.sh script
• AWS CLI Version: not sure any more, less than 1.15.2

I was not able to login over SSH with existing IAM user account. Troubleshooting revealed

aws iam list-ssh-public-keys --user-name "$UnsaveUserName" --query "SSHPublicKeys[?Status == 'Active'].[SSHPublicKeyId]" --output text

in authorized_keys_command.sh was returning error since outdated version of awscli.

Upgrading awscli to lates available (1.15.2) fixed the issue.

1. document minimum required versions for dependencies
2. add version checks to install script. Eg. check available versions and abort in case they don't meet minimum requirements

[michaelwittig]

works on aws-cli/1.11.133 Python/2.7.5 Linux/3.10.0-693.el7.x86_64 botocore/1.6.0

[artburkart]

For the record, I'm able to get it to work on legacy machines with Python 2.6.6. @michaelwittig, would you be interested in receiving a PR for the version checks?

[michaelwittig]

@artburkart but I believe we first have to figure out the minimum version?

[artburkart]

Ha, I was thinking we could just say something is the minimum until proven otherwise.

[laurikimmel]

Another experience with unmet dependencies.

Started fresh EC2 instance from fairly recent Ubuntu Server 16.04 LTS (HVM) - ami-2a7d75c0. According to https://cloud-images.ubuntu.com/query/xenial/server/released.current.txt it's release from 2018-06-27.

Installed pip and awscli using

sudo apt-get update
sudo apt-get install python-pip -y
sudo pip install awscli --upgrade

As recommended in awscli user guide https://docs.aws.amazon.com/cli/latest/userguide/installing.html

Executed install script successfully using sudo ./install.sh.
User accounts where synchronised from IAM but didn't manage to login using SSH. It turned out user nobody was not able to execute aws. (Don't have exact error message available any more)

Uninstalling awscli (using pip) + pip and Installing awscli using apt-get did solve the problem.

Clearly it it issue with python + pip + awscli setup.
OTOH easy way to end up with nonfunctional system =|

Potential solution would be to test if user nobody can execute /opt/authorized_keys_command.sh and abort installation on failure.

Sidenotes:

• apt-get installs quite ancient version of awscli

aws --version
aws-cli/1.11.13 Python/3.5.2 Linux/4.4.0-1062-aws botocore/1.4.70

It's from November 2016. Latest available version is 1.15.57

• user nobody is configured in /etc/ssh/sshd_config

AuthorizedKeysCommand /opt/authorized_keys_command.sh
AuthorizedKeysCommandUser nobody

[michaelwittig]

@laurikimmel in our test, we install apt-get install git awscli and it works. Have you used the install.sh script for installation of aws-ec2-ssh?

[laurikimmel]

in our test, we install apt-get install git awscli and it works.

It works for me too in case I install awscli using apt-get.

Have you used the install.sh script for installation of aws-ec2-ssh?

Yes - I used install.sh script.

My point is - it's easy to get to the state where awscli is not setup properly for aws-ec2-ssh.

• started new instance
• cloned aws-ec2-ssh repo from GH
• executed aws-ec2-ssh/install.sh script as sudo
• it failed with message about missing awscli (which is good and expected)
• went to awscli page and followed installation instructions
  • installed pip (it was missing from the system)
  • installed awscli using pip (as recommended in awscli user manual)
• at this point I was able to execute aws-ec2-ssh/install.sh script successfully

After installation I was not able to login with SSH although user accounts where synced from IAM.
I suspect many potential aws-ec2-ssh users might stop here.

Actual problem is - user nobody can't execute awscli commands while root (via sudo) and default user (ubuntu in current case) can. Command

sudo -u nobody /opt/authorized_keys_command.sh xxx

fails with appropriate message.

In my opinion it would save lots of time and confusion if install.sh would check whether dependencies are properly installed or not.