Issue with opkssh setup on AWS EC2

[rishangbhavsar]

In AWS EC2 we already have a auth config file /usr/lib/systemd/system/ssh.service.d/ec2-instance-connect.conf due to which opkssh was not able to work this is what I did for the fix, but please let me know if there are better options.

Way to reproduce:

• Take an AWS EC2 instance with ubuntu AMI
• Setup opkssh on server via the install script available in repo README

Steps I used for the fix

1. Remove EC2 drop-in that overrides the keys command

sudo mv /usr/lib/systemd/system/ssh.service.d/ec2-instance-connect.conf /usr/lib/systemd/system/ssh.service.d/ec2-instance-connect.conf.bak

2. Reload systemd to reflect the change

sudo systemctl daemon-reload

3. Make sure ssh.service is directly enabled (not socket-activated)

sudo systemctl disable ssh.socket
sudo systemctl enable ssh.service

4. Restart the SSH server cleanly

sudo systemctl restart ssh

[EthanHeilman]

Yes, this is a known issue, but despite having copious notes on it, for some reason didn't have a github issue for it (1000 shames upon me). I've created a github issue at #465 to track it.

SSHd only supports one authorized keys command so if authorized keys command is pointed to aws instance connect, opkssh can't use.

Disabling aws instance connect as you have done is a reasonable fix by moving the ec2-instance-connect.conf to ec2-instance-connect.conf.bak.

If you want to use both aws instance connect and opkssh, you could create a script that calls opkssh and then calls aws instance connect.

Would you be interested creating a PR to add this fix to the documentation?

[Rishang]

For anyone who comes across this discussion, here is the documentation for solving this problem https://github.com/openpubkey/opkssh/blob/main/docs/aws-ec2.md

#467