From 41a682ac2229d39ebe3c0b021f76db80b821de83 Mon Sep 17 00:00:00 2001
From: "Patrick J.P. Culp" <jpculp@amazon.com>
Date: Wed, 4 Aug 2021 17:40:37 +0000
Subject: [PATCH 1/2] Add support for custom username

---
 Dockerfile          |  3 ---
 README.md           | 11 +++++++++++
 ec2-user.sudoers    |  1 -
 start_admin_sshd.sh | 20 +++++++++++++++-----
 4 files changed, 26 insertions(+), 9 deletions(-)
 delete mode 100644 ec2-user.sudoers

diff --git a/Dockerfile b/Dockerfile
index 844d57f..94684db 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -57,16 +57,13 @@ COPY --from=builder /opt/bash /opt/bin/
 RUN rm -f /etc/motd /etc/issue
 ADD --chown=root:root motd /etc/
 
-ADD --chown=root:root ec2-user.sudoers /etc/sudoers.d/ec2-user
 ADD start_admin_sshd.sh /usr/sbin/
 ADD ./sshd_config /etc/ssh/
 ADD ./sheltie /usr/bin/
 
-RUN chmod 440 /etc/sudoers.d/ec2-user
 RUN chmod +x /usr/sbin/start_admin_sshd.sh
 RUN chmod +x /usr/bin/sheltie
 RUN groupadd -g 274 api
-RUN useradd -m -G users,api ec2-user
 
 CMD ["/usr/sbin/start_admin_sshd.sh"]
 ENTRYPOINT ["/bin/bash", "-c"]
diff --git a/README.md b/README.md
index 163843c..b68f893 100644
--- a/README.md
+++ b/README.md
@@ -62,6 +62,17 @@ To change allowed SSH ciphers to a specific set, you can add a ciphers section:
 }
 ```
 
+By default, the admin container's local user will be `ec2-user`. If you would like to change this, you can set the user value like so:
+
+```
+{
+  "user": "bottlerocket",
+  "ssh": {
+    "authorized-keys...",
+  }
+}
+```
+
 Once you've created your JSON, you'll need to base64-encode it and set it as the value of the admin host container's user-data setting in your [instance user data toml](https://github.com/bottlerocket-os/bottlerocket#using-user-data).
 
 ```
diff --git a/ec2-user.sudoers b/ec2-user.sudoers
deleted file mode 100644
index 1b07941..0000000
--- a/ec2-user.sudoers
+++ /dev/null
@@ -1 +0,0 @@
-ec2-user ALL=(ALL) NOPASSWD: ALL
diff --git a/start_admin_sshd.sh b/start_admin_sshd.sh
index 79fc3f8..0f4e081 100644
--- a/start_admin_sshd.sh
+++ b/start_admin_sshd.sh
@@ -2,11 +2,21 @@
 
 set -e
 
+log() {
+  echo "$*" >&2
+}
+
 declare -r PERSISTENT_STORAGE_BASE_DIR="/.bottlerocket/host-containers/current"
 declare -r SSH_HOST_KEY_DIR="${PERSISTENT_STORAGE_BASE_DIR}/etc/ssh"
 declare -r USER_DATA="${PERSISTENT_STORAGE_BASE_DIR}/user-data"
 
-declare -r LOCAL_USER="ec2-user"
+# Fetch user from user-data json (if any). Default to 'ec2-user' if null or invalid.
+if ! LOCAL_USER=$(jq -e -r '.["user"] // "ec2-user"' "${USER_DATA}" 2>/dev/null) \
+|| [[ ! "${LOCAL_USER}" =~ ^[a-z_][a-z0-9_-]{0,31}$ ]]; then
+  log "Failed to set user from user-data. Proceeding with 'ec2-user'."
+  LOCAL_USER="ec2-user"
+fi
+
 declare -r USER_SSH_DIR="/home/${LOCAL_USER}/.ssh"
 declare -r SSHD_CONFIG_DIR="/etc/ssh"
 declare -r SSHD_CONFIG_FILE="${SSHD_CONFIG_DIR}/sshd_config"
@@ -15,10 +25,6 @@ declare -r SSHD_CONFIG_FILE="${SSHD_CONFIG_DIR}/sshd_config"
 # one of the methods below is available.
 declare -i available_auth_methods=0
 
-log() {
-  echo "$*" >&2
-}
-
 get_user_data_keys() {
     # Extract the keys from user-data json
     local raw_keys
@@ -63,6 +69,10 @@ EOF
   chmod 644 "${proxy_profile}"
 }
 
+# Create local user
+echo "${LOCAL_USER} ALL=(ALL) NOPASSWD: ALL" > "/etc/sudoers.d/${LOCAL_USER}"
+chmod 440 "/etc/sudoers.d/${LOCAL_USER}"
+useradd -m -G users,api "${LOCAL_USER}"
 mkdir -p "${USER_SSH_DIR}"
 chmod 700 "${USER_SSH_DIR}"
 

From 8c4026a134791b051d5f3fcda359619f34d29bb3 Mon Sep 17 00:00:00 2001
From: "Patrick J.P. Culp" <jpculp@amazon.com>
Date: Thu, 5 Aug 2021 20:28:06 +0000
Subject: [PATCH 2/2] Clean up README

---
 README.md | 26 +++++++++++++-------------
 1 file changed, 13 insertions(+), 13 deletions(-)

diff --git a/README.md b/README.md
index b68f893..b679def 100644
--- a/README.md
+++ b/README.md
@@ -23,24 +23,24 @@ To use custom public keys for `.ssh/authorized_keys` and/or custom CA keys for `
 
 ```
 {
-   "ssh":{
-      "authorized-keys":[
-         "ssh-rsa EXAMPLEAUTHORIZEDPUBLICKEYHERE my-key-pair"
-      ],
-      "trusted-user-ca-keys":[
-         "ssh-rsa EXAMPLETRUSTEDCAPUBLICKEYHERE authority@ssh-ca.example.com"
-      ]
-   }
+  "ssh": {
+    "authorized-keys": [
+      "ssh-rsa EXAMPLEAUTHORIZEDPUBLICKEYHERE my-key-pair"
+    ],
+    "trusted-user-ca-keys": [
+      "ssh-rsa EXAMPLETRUSTEDCAPUBLICKEYHERE authority@ssh-ca.example.com"
+    ]
+  }
 }
 ```
 
 If you want to access to the admin container using [EC2 instance connect](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Connect-using-EC2-Instance-Connect.html), set `authorized-keys-command` and `authorized-keys-command-user` as follows:
 ```
 {
-    "ssh": {
-      "authorized-keys-command": "/opt/aws/bin/eic_run_authorized_keys %u %f",
-      "authorized-keys-command-user": "ec2-instance-connect"
-    }
+  "ssh": {
+    "authorized-keys-command": "/opt/aws/bin/eic_run_authorized_keys %u %f",
+    "authorized-keys-command-user": "ec2-instance-connect"
+  }
 }
 ```
 
@@ -48,7 +48,7 @@ To change allowed SSH ciphers to a specific set, you can add a ciphers section:
 
 ```
 {
-  "ssh":{
+  "ssh": {
     "authorized-keys...",
     "ciphers": [
         "chacha20-poly1305@openssh.com",