Chris Bunch's questions

I have a daemon sitting in my root directory that currently is being run as root. However, since this program can read the file system, this is clearly a security problem. How can I run it as nobody so that I can resolve this problem?

Doing "su - nobody -c /root/myscript" doesn't work, returning a permission denied error. The only ways I can seem to get around this are:

1. Chmod -R 777 /root, which I don't want to do on my root dir and also messes up ssh.
2. Move the script to /opt or /var and then do (1)

Of course, there may be an easy solution that I'm missing. I can chown it to nobody but that doesn't fix the problem either. Any ideas?

I would like to be able to ssh into my node and then run software that for its own purposes, ssh's into other machines and itself. It assumes that ssh keys are set up already so it cannot take the -i flag and use that.

I have a working Xen setup where this works fine: all I had to do was scp my private key to .ssh/id_rsa and the public part to .ssh/id_rsa.pub (which I can recover in EC2 since it's in .ssh/authorized_keys).

This same setup simply doesn't work in EC2. I've verified that /etc/ssh/sshd_config and /etc/ssh/ssh_config are the same on my Xen box that works and the EC2 box that does not.

The base AMI I'm using is ami-1774927e, the Alestic.com image containing a fresh Ubuntu Hardy install. Naturally, port 22 is open in my security group for ssh traffic.

Any ideas on what I'm doing wrong?

EDIT: Based on womble's advise and advise on the Amazon EC2 forums, here's extra information that may be helpful:

sshd_config and ssh_config are the same on my Xen and EC2 boxes (and are the default ones shipped with the Alestic ami specified earlier), and I'm not using any command line options. ssh-agent isn't running, and there are no other ssh keys on the machine. I'm only logging in as root, and most importantly, I can log into my EC2 box from the same box if I use -i when the keyname isn't id_rsa.

When I use the -i flag, the tail end of ssh -v looks like this:

debug1: Host 'localhost' is known and matches the RSA host key.
debug1: Found key in /root/.ssh/known_hosts:1
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Trying private key: ec2scale.key
debug1: read PEM private key done: type RSA
debug1: Authentication succeeded (publickey).
debug1: channel 0: new [client-session]
debug1: Entering interactive session.
debug1: Sending environment.
debug1: Sending env LANG = en_US.UTF-8
Last login: Mon Jul  6 23:42:49 2009 from 127.0.0.1
Linux (none) 2.6.21.7-2.fc8xen #1 SMP Fri Feb 15 12:34:28 EST 2008 x86_64
... and so on ...

But when I don't use the -i flag, I get this:

debug1: Host 'localhost' is known and matches the RSA host key.
debug1: Found key in /root/.ssh/known_hosts:1
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /root/.ssh/identity
debug1: Offering public key: /root/.ssh/id_rsa
debug1: Server accepts key: pkalg ssh-rsa blen 279
debug1: read PEM private key done: type RSA
debug1: Authentications that can continue: publickey
debug1: Trying private key: /root/.ssh/id_dsa
debug1: No more authentication methods to try.
Permission denied (publickey).

I've diff'ed the keys and they are identical, and I can see that the server accepts my id_rsa key above but just that the auth doesn't go through. Checking out /var/log/auth.log shows just this when I log in:

Jul  6 23:46:09 ip-10-244-50-159 sshd[1354]: error: RSA_public_decrypt failed: error:0407006A:lib(4):func(112):reason(106)

Which I can use openssl to see the error code of:

root@ip:~# openssl errstr 0407006A
error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block type is not 01 

But I'm not sure how I can use that to help my problem.

By default, all ports are closed in EC2 until a user opens them up. I would like to keep this behavior but also open up all ports for internal usage (that is, EC2 nodes can communicate with each other on any port but not with the outside world).

The documentation on EC2 security groups does not specify if this is the default behavior or how one would go about doing this. The command line tools provide a way to do this but only if I make each node its own security group and then allow only the groups to talk to each other.

Do you know how I would be able to use the EC2 tools to allow all traffic between nodes in EC2 (or documentation that could help)?

I have about a dozen Linux boxes that I occasionally need to run the same command(s) on. Is there an easier way (or automated way) to do this asides from logging on to each machine and running the command, one at a time? It's not the same commands all the time and it's not at a preset time so it's not something ideal for tools like cron.

I have a disk image that is running under Xen right now and I'd like to port it to Amazon's EC2. How can I do this in a way that is as simple as possible? I've got a script that can build the finished image from a brand new image if this helps.