keymaker AuthorizedKeysCommand ignored on amazon-linux-2

[quagly]

ISSUE: The AuthorizedKeysCommand is ignored on amazon-linux-2

ROOT CAUSE: Amazon-Linux-2 includes its own AuthorizedKeysCommand in preparation for an upcoming feature for storing public keys in metadata. See release notes under "OpenSSH daemon configuration file /etc/ssh/sshd_config updates" sshd only honors the first AuthorizedKeysCommand entry.

RESOLUTION:
Comment out the existing entries or put keymaker entries first

[quagly]

Resolved this for myself with this following cfn-init.

I do not recommend that keymaker handle this issue as keymaker cannot know why someone may have existing entries. If we agree I will close the issue.

              # authorized keys from sshd_config conflicts with keymaker sshd config
              comment-out-authorized-keys:
                command: "sed -e '/^AuthorizedKeysCommand/ s/^/#/' -i /etc/ssh/sshd_config"
                ignoreErrors: "false"```

[kislyuk]

Interesting, thank you for the link to the release notes. It looks like AWS is looking to implement the equivalent of Keymaker in Amazon Linux :)

I agree Keymaker in its current form is not ready to deal with the presence of other AuthorizedKeysCommands. I'll keep this issue open to track what (if anything) should be done in that case.