Understanding distro's config mechanism

Ubuntu 20.04 latest ami seems to start using EC2 instance connect by default. And if you want to muck around with it, you can start from /lib/systemd/system/ssh and /lib/systemd/system/ssh.service.d/ec2-instance-connect.conf, not in /etc/ssh/sshd_config.

You can thank me later.

And if you just look at /etc/systemd/system/sshd.service you'll feel kind of magic as well as there's nothing there related to EIC. That is just a symlink to /lib/systemd/system/ssh, which has all the meat there.

Other than sshd.service, syslog.service also symlink to /lib/systemd/system/rsyslog.service.

Ok, so /etc/systemd/system is supposed to be the place where you want to override the system's service unit definition, which is usually in /lib/systemd/system. /etc/systemd/system will have precedence over /lib/systemd/system.

And the correct way to override is not by editing the .service file but instead by creating a directory called servicename.service.d/ directory at the same level and include *.conf file in that directory. Within that .conf file you can override any individual service section attributes such as ExecStart=.

So for example in /lib/systemd/system/ssh.service.d/ec2-instance-connect.conf, ExecStart is overriden with this command instead:-

ExecStart=/usr/sbin/sshd -D -o "AuthorizedKeysCommand /usr/share/ec2-instance-connect/eic_run_authorized_keys %%u %%f" -o "AuthorizedKeysCommandUser ec2-instance-connect" $SSHD_OPTS

If you just look in /etc/ssh/sshd_config or /etc/systemd/system/sshd.service, you will feel like a fool because in sshd_config, AuthorizedKeysCommand is commented:-

# Expect .ssh/authorized_keys2 to be disregarded by default in future.#AuthorizedKeysFile     .ssh/authorized_keys .ssh/authorized_keys2

#AuthorizedPrincipalsFile none

#AuthorizedKeysCommand none#AuthorizedKeysCommandUser nobody

and in /etc/systemd/system/sshd.service, ExecStart looks like this:-

ExecStart=/usr/sbin/sshd -D $SSHD_OPTS

Nothing in there suggested the use of EC2 Instance Connect. And systemd selling proposition is standardization 😊

Let me check how Amazon Linux does it. I think this is very Ubuntu/Debian specific.

ssh provides Include /etc/ssh/sshd_config.d/*.conf as override mechanism but I think a common dilemma faced by package maintainers or distro builders is whether to use the program's specific mechanism or use the system's mechanism.

And I think it's clear package maintainers prefer system mechanisms.

Amazon linux simply use sshd_config file.

AuthorizedKeysCommand /opt/aws/bin/eic_run_authorized_keys %u %f AuthorizedKeysCommandUser ec2-instance-connect

Much clearer. no hidden magic.