Reputation: 69
Iam not able to login to bastion server-permission denied error
When I login to bastion server every time, there is initial shell script which will run and records sessions.
if [[ -z $SSH_ORIGINAL_COMMAND ]]; then
LOG_FILE="`date --date="today" "+%Y-%m-%d_%H-%M-%S"`_`whoami`"
LOG_DIR="/var/log/ssh-bastion/"
echo ""
echo "NOTE: This SSH session will be recorded"
echo "AUDIT KEY: $LOG_FILE"
echo ""
# suffix the log file name with a random string.
SUFFIX=`mktemp -u _XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX`
script -qf --timing=$LOG_DIR$LOG_FILE$SUFFIX.time $LOG_DIR$LOG_FILE$SUFFIX.data --command=/bin/bash
else
echo "This bastion supports interactive sessions only. Do not supply a command"
exit 1
fi
Now when I try to login its giving below error
script: cannot open /var/log/ssh-bastion/2024-03-29_06-52-11_username_m8hI1GxwGYd5847vhanBcn9Www1Koq8X.data: Permission denied
It was working well earlier and I have been facing this issue since 2 days. All my directory permissions are same and there is no change in any file/directory permissions.
Upvotes: 0
Views: 204
Answers (1)
Reputation: 69
I fixed this issue. There was a problem with apt daily upgrade activities on ubuntu EC2s which is running automatically which leads to change of permissions of /usr/bin/script file.
We are using this file to create login session files at every login session.
Since I have admin access to EC2, I logged in as ubuntu user and noticed this.
To prevent bastion host users from listing the folder containing log files, the file permissions were changed for the group owner of "script" file under /usr/bin/ directory and setting GID by running below commands.
sudo chown root:ubuntu /usr/bin/script
sudo chmod g+s /usr/bin/script
We launched these bastion servers almost 2years back and we haven't faced this issue. It has been happening for the past 5days. I got info about apt upgrade activites from log files of the system.
This will create issues in future also because of these auto upgrade activities. I am thinking to modify my startup shell script whichi I posted above so that before creating a login file it should check for file permissions and if they are changed, it will update with desired permissions and then execute rest of the script.
Upvotes: 0
Related Questions
- How can I resolve the error "The security token included in the request is invalid" when running aws iam upload-server-certificate?
- Amazon AWS Filezilla transfer permission denied
- Permission denied from Bastion to Private ec2
- AWS EC2 instance: Error while connecting to a private instance from a bastion host
- ssh AWS ec2 bastion permission denied
- Amazon EC2 Permission denied (publickey)
- Unable to SSH to RHEL 6.5 after exporting to AWS