Allowing root access in AMIs created/derived from Amazon Linux AMIs

Short answer: Edit /etc/cloud/cloud.cfg and set disable_root: 0, and in /etc/ssh/sshd_config set PermitRootLogin to without-password.

There are a lot of people asking on the AWS forums, and elsewhere, about how to make AMIs derived from Amazon Linux AMIs, such that the users of the derived AMI can launch an instance and allow root user to login vi SSH.

But, the way Amazon Linux AMIs are configured, the root user is greeted with a message like 'Please login as ec2-user rather than root user' and the connection is terminated after 10 seconds.

The reasoning behind having such a setup is that, that allowing root user login from SSH opens up the instance to vulnerabilities. And at the same time the recommended solution is to login as ec2-user and do a `sudo su -` to gain root access.

I find it bogus to disallow root access over SSH and then allow ec2-user to access root account without any restrictions!!! And mind you, all access is using public/private keypairs generated and supposedly handled carefully by the user.

If anything, they should document how to deny root access to the ec2-user, if so desired by the AMI creator.

Okay, now the technical guts of how to fix this situation.

The reason behind that message upon root SSH login is that the file /root/.ssh/authorized_keys contains a 'command' prefix to the authorized key, similar to:

command="echo Please login as ec2-user user rather than root; sleep 10; exit 0" ssh-rsa AAP...

Even after you remove the 'command' and everything before the 'ssh-rsa', the /etc/ssh/sshd_config has a setting that will disallow root login.

And even if you fix all this, you will discover that when you bundle up an AMI from your instance (which is created from an Amazon Linux AMI) and launch the instance from this derived AMI, you will be back to square one, since the /root/.ssh/authorized_keys will again contain the same 'command=' prefix!

So here's how to fix this:

Launch an instance from Amazon Linux AMI, and do whatever customization you want. When you are ready to create an AMI (derived AMI) from this instance, run the following 4 commands, and the instances created from your derived AMI will not have this problem:

$ sudo perl -i -pe 's/disable_root: 1/disable_root: 0/' /etc/cloud/cloud.cfg
$ sudo perl -i -pe 's/#PermitRootLogin .*/PermitRootLogin without-password/' /etc/ssh/sshd_config
$ sudo perl -i -pe 's/.*(ssh-rsa .*)/\1/' /root/.ssh/authorized_keys
$ sudo /etc/init.d/sshd reload # optional command

  1. Ask the EC2 node configuration scripts installed on the AMI to not disable root login.
  2. Ask sshd daemon to allow password-less (but public-key based) root logins.
  3. Strip the 'command=...' prefix from root user's authorized_keys.
  4. Reload shd config for the sshd_config to take effect.

Commands 3 and 4 are really necessary only if you want to login into your current instance (created from Amazon Linux AMI) using root login. The first two commands are sufficient to allow SSH based root login into instances of your derived AMI.

How to use MTP on Google's Galaxy Nexus in Linux

Short answer: You don't have to use MTP; you can use PTP.

By now it is no secret that Galaxy Nexus does not mount as USB mass storage for some wise technical decisions made by the Nexus developers. Now there are a plenty of posts floating around on how to install software in Linux to enable MTP access so that you can access the files from your Linux.

None of those worked for me, partly because of the fact that I am running Linux-Mint 10, and the libmtp that comes for this version is outdated. I can do some hacking to update my version of libmtp, and hopefully work. But, as much as I love Linux, and OSS in general, I hate to give out instructions that require compiling, editing config files, etc.

So the simplest solution that worked for me was to use PTP instead of MTP. Choosing this option causes my Nautilus file explorer to immediately identify the phone as a photo source. And voila, you can now open a file explorer and browse, add, remove files from the phone.

Savor the screenshots to get an idea how easy it is to use PTP to access the files as compared to compiling code and what-not.




How to play a long MP3 on Android alarm

I recently bought a Samsung Galaxy Nexus; Google's flagship Android phone, sporting the latest Ice Cream Sandwich. Suffice it to say that I am simply in love with this device.

I wanted to play recordings of Japji Sahib and Rehraas Sahib every morning and evening, respectively. These are about 22 minutes long each, and they should be played exactly once, and the player should stop after the play.

If your MP3 file is shorter than 10 minutes, then the standard 'Clock' App can play your MP3 without issues. You just have to create a folder named "alarm" on the storage card and place your MP3 files there, and they'd magicaly appear in the "ringtone" choices when creating an alarm.

There's a lot of material already floating around the 'net for doing this: www.google.com/search?q=android+alarm+MP3

There are a few problems with everything I've seen so far:
  • The default Clock's alarm runs for only 10 minutes.
This is not ideal if you have a song/track longer than 10 minutes. And if it is shorter than 10 minutes, I think the song will be looped.
  • Any other alarm/clock app runs the MP3 in a loop
This is not ideal if you want to run your MP3 only once and then stop.
  • 'AlarmDroid' lets you stop the alarm (mp3 song) after a set number of minutes (Advanced > Ringer Duration).
The problem with AlarmDroid is that it hogs the screen, and won't let you use any other app until either you dismiss the alarm, or the alarm times out after the duration you've set. Yet another minor issue is that since the granularity of auto-dismiss is in minutes, the song loops for a few seconds after the first run, before the auto-dismiss actually stops the alarm. I used AndroidAlarm until I found the perfect solution.

None of the alarm apps allowed me to do what I wanted. So I started looking for some customizable way of launching the Music app on my own, and finally I found AppAlarm.

AppAlarm allows you to launch any app on an alarm. So I could create a playlist that has just one song, and then use AppAlarm to play that playlist using the Music App. By default the Music app will not loop the songs, but if you were using the Music app and you configured the app to either 'Repeat All' or 'Repeat One' setting then the Music app will loop (repeat) the alarm song too.

So here's how to to get it done. In the Music app create a playlist with just one song that you want to play when alarm goes off. Launch AppAlarm, and 'Add New Alarm'; 'Enable' the alarm and tap on 'App to Launch'; choose 'Create Shortcut', choose 'Music Playlist', and select the playlist you just created above. On the resulting dialog box, click 'Select App' and scroll down to select the 'Music' app from the list. Choose time, repeat everyday, etc settings to your taste, and you are done.