Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Custom Shell for `aws ssm start-session` #131

Open
kellertobias opened this issue Oct 27, 2018 · 28 comments

Comments

@kellertobias
Copy link

@kellertobias kellertobias commented Oct 27, 2018

I want to replace our ssh/ldap login with the ssm for all our AWS servers.

However the /bin/sh shell is not my favourite, so I want to use bash as default shell. I already configured that for the user ssm-user, however it still starts /bin/sh on startup.

(also tried to link /bin/sh to /bin/bash, but somehow it still finds /bin/bsh)

@itoperatorguy

This comment has been minimized.

Copy link

@itoperatorguy itoperatorguy commented Nov 21, 2018

+1 for this feature

@johnnyplaydrums

This comment has been minimized.

Copy link

@johnnyplaydrums johnnyplaydrums commented Dec 4, 2018

Would love for session manager to respect passwd settings (not sure how/why it's not now, is it because it's a non login shell?), like setting the default shell, etc. Is it possible to do this now somehow?

@teambob

This comment has been minimized.

Copy link

@teambob teambob commented Dec 28, 2018

The line of code in the agent is here:

@JibbyAni

This comment has been minimized.

Copy link

@JibbyAni JibbyAni commented Jan 18, 2019

+1 on this

@HewittJC

This comment has been minimized.

Copy link

@HewittJC HewittJC commented Jan 21, 2019

As @johnplaydrums said, I think its sort of dangerous (for lack of a better word) to not respect general Linux behavior.

Some sort of configuration file on the instance or a setting in the AWS console would be acceptable too.

@teambob

This comment has been minimized.

Copy link

@teambob teambob commented Jan 22, 2019

Perhaps the agent could respect the shell setting in /etc/passwd for ssm-user?

@mewelling

This comment has been minimized.

Copy link

@mewelling mewelling commented Feb 20, 2019

I can get to the shell I want by just calling /bin/bash directly upon login, but that just seems like an extra step. +1 on respecting /etc/passwd.

@Robert-Joe

This comment has been minimized.

Copy link

@Robert-Joe Robert-Joe commented Feb 26, 2019

Yeah, I have to type in "bash -l -o vi" to get my preferred login shell. It would be so simple for AWS to implement. Talk about being in the dark ages...

@Robert-Joe

This comment has been minimized.

Copy link

@Robert-Joe Robert-Joe commented Feb 26, 2019

So the fix is this in amazon-ssm-agent/agent/session/plugins/shell/shell_unix.go

cmd := exec.Command("bash -l")

@eyablonowitz

This comment has been minimized.

Copy link

@eyablonowitz eyablonowitz commented Mar 4, 2019

I'm not sure if this should be a separate feature request, but I'd like to be able to specify the initial command - e.g. aws ssm start-session <command>.

My use case:
I'm writing a tool to start an SSM session on an ECS Container Instance and I want to immediately docker exec to start a shell, rails console, python console... inside one of the containers along the lines of https://engineering.loyaltylion.com/running-an-interactive-console-on-amazon-ecs-c692f321b14d.

Right now my script is sadly forced to print thedocker exec command and advise the user to copy/paste it at the ssm session shell prompt.

@cwarner-mdsol

This comment has been minimized.

Copy link

@cwarner-mdsol cwarner-mdsol commented Mar 11, 2019

Bump; I wanted to provide a patch but also talk this out a bit. It's simple in theory but that's only if it's made a configurable independent option by itself. If we go the passwd route or PAM, this becomes a much more involved thing. If there was a roadmap for this it would be helpful.

@dantech2000

This comment has been minimized.

Copy link

@dantech2000 dantech2000 commented Apr 16, 2019

👍 this pls

@talawahtech

This comment has been minimized.

Copy link

@talawahtech talawahtech commented May 12, 2019

Has anybody figured out a workaround for this (other than instructing users to manually run a command)?

sh (which is really bash in "sh" mode) doesn't seem to be picking up any of the usual start up scripts like /etc/profile or ~/.profile that could be used to automatically run a command. If the code called exec.Command("sh -l") instead, then at least those could be used.

Apparently if you set an environment variable named ENV with the path to a shell script, then sh will execute that script when it runs, alas it is a chicken and egg problem because there doesn't seem to be a way to set ENV.

What's even worse, the non-primary groups for ssm-user don't seem to get recognized automatically either, so even though I add the ssm-user to the docker group, it can't run docker commands by default.

@fiducioso-dan

This comment has been minimized.

Copy link

@fiducioso-dan fiducioso-dan commented May 28, 2019

I think custom shell invocations are possible now mostly due to commit d2d2746. Apparently you need to reference an SSM document when calling StartSession. I have not attempted this yet.

@skorfmann

This comment has been minimized.

Copy link

@skorfmann skorfmann commented May 31, 2019

@fiducioso-dan

I think custom shell invocations are possible now mostly due to commit d2d2746. Apparently you need to reference an SSM document when calling StartSession. I have not attempted this yet.

tried to create a document according to the commit like the following:

{
    "schemaVersion": "1.0",
    "description": "Document to hold regional settings for Session Manager",
    "sessionType": "Standard_Stream",
    "inputs": {
      "s3BucketName": "",
      "s3KeyPrefix": "",
      "s3EncryptionEnabled": true,
      "cloudWatchLogGroupName": "",
      "cloudWatchEncryptionEnabled": true
    },
    "sessionCommands": [{
      "commands": "bash -lc 'echo fooooooooo'"
    }]
  }

Unfortunately, the API is rejecting sessionCommands:

 Error creating SSM document: InvalidDocumentContent: SessionCommands is not supported in Standard_Stream session type
	status code: 400

The only halfway official docs about session documents I found: https://docs.aws.amazon.com/systems-manager/latest/userguide/getting-started-configure-preferences-cli.html

Sort of looks like the agent itself would support it, but there's no way to create such document. Ideas?

@slikk66

This comment has been minimized.

Copy link

@slikk66 slikk66 commented Jun 14, 2019

Bump.. my company is evaluating using this to replace our vpn/key access for several hundred machines but this is a dealbreaker. We need logins to load the shell/command of our choice as would be possible in /etc/passwd

@brainstorm

This comment has been minimized.

Copy link

@brainstorm brainstorm commented Jun 15, 2019

I'm in the same situation, I then filed an AWS support ticket and here's where it is for now (since 2-3 days ago):

They (SSM AWS internal team) say that the SSM support /bin/sh and the behavior you are noticing is normal and by design, however there is a plan for SSM to support bash preference in the future.
They are currently looking for a workaround to the issue and I will update you as soon as I get feedback.
I will keep this case open until I update you on the workaround. In the mean time please reach out if you have any further questions, I will be glad to assist.

I really hope that they don't come up with a aws ssm --use-bash or similar non-intuitive flag. I do expect and hope that the final solution respects /etc/passwd, transparently, as @slikk66 mentions.

Fingers crossed.

@tdmalone

This comment has been minimized.

Copy link

@tdmalone tdmalone commented Jun 15, 2019

Thanks for filing a ticket @brainstorm! Please do let us know what workaround is offered.

@brainstorm

This comment has been minimized.

Copy link

@brainstorm brainstorm commented Jun 21, 2019

There's actually an issue from 2017 about this same topic but was left behind, apparently.

And also the possibility to use SSH instead, as pointed out in issue #188

... let's see what the SSM team comes up with.

@brainstorm

This comment has been minimized.

Copy link

@brainstorm brainstorm commented Jun 26, 2019

SSM team came back via AWS Support:

The main reason session manager is not using "bash" as default shell is because of logging. When using "bash" shell, session log files that are generated have formatting issues and gibberish characters. Due the logging issue on bash, session manager launches "sh" as a default shell at the moment.

They have also noted that they are currently working on implementing "bash" but they have to research and look for workarounds to improve logging which I believe might take some time.

@teambob

This comment has been minimized.

Copy link

@teambob teambob commented Jun 27, 2019

SSM team came back via AWS Support:

The main reason session manager is not using "bash" as default shell is because of logging. When using "bash" shell, session log files that are generated have formatting issues and gibberish characters. Due the logging issue on bash, session manager launches "sh" as a default shell at the moment.
They have also noted that they are currently working on implementing "bash" but they have to research and look for workarounds to improve logging which I believe might take some time.

Are there any links to bash bugs which give an idea what the problem is? I haven't had any problems with bash logging

@johnnyplaydrums

This comment has been minimized.

Copy link

@johnnyplaydrums johnnyplaydrums commented Jun 27, 2019

SSM team came back via AWS Support:

The main reason session manager is not using "bash" as default shell is because of logging. When using "bash" shell, session log files that are generated have formatting issues and gibberish characters. Due the logging issue on bash, session manager launches "sh" as a default shell at the moment.
They have also noted that they are currently working on implementing "bash" but they have to research and look for workarounds to improve logging which I believe might take some time.

Are there any links to bash bugs which give an idea what the problem is? I haven't had any problems with bash logging

Same here. No issue with Bash logs.

@phene

This comment has been minimized.

Copy link

@phene phene commented Jun 27, 2019

SSM team came back via AWS Support:

The main reason session manager is not using "bash" as default shell is because of logging. When using "bash" shell, session log files that are generated have formatting issues and gibberish characters. Due the logging issue on bash, session manager launches "sh" as a default shell at the moment.
They have also noted that they are currently working on implementing "bash" but they have to research and look for workarounds to improve logging which I believe might take some time.

Are there any links to bash bugs which give an idea what the problem is? I haven't had any problems with bash logging

Wouldn't this also mean that starting bash once you're in the session breaks logging?

@drAlberT

This comment has been minimized.

Copy link

@drAlberT drAlberT commented Aug 23, 2019

"breaks logs" means they are messed up with tons of non printable characters .. using colors for example fills the logs with a lot of escape sequences ...

I suppose AWS guys are talking about this

@khuongduybui

This comment has been minimized.

Copy link

@khuongduybui khuongduybui commented Oct 3, 2019

but what the log is going to look like if the first command I run after start-session connects is bash?

@TC-robV

This comment has been minimized.

Copy link

@TC-robV TC-robV commented Oct 3, 2019

@khuongduybui

This comment has been minimized.

Copy link

@khuongduybui khuongduybui commented Oct 3, 2019

Yes, but does it produce gibberish log with escape sequences etc?

@MattRMcFarland

This comment has been minimized.

Copy link

@MattRMcFarland MattRMcFarland commented Oct 16, 2019

@skorfmann Do you know why sessionCommands didn't take? That seems like a great solution but it looks like it never made it to a released version of the agent.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
You can’t perform that action at this time.