cloud-init-dev team mailing list archive

Thread
Date
[Bug 1835114] Re: [MIR] ec2-instance-connect

To: cloud-init-dev@xxxxxxxxxxxxxxxxxxx
From: Ryan Harper <1835114@xxxxxxxxxxxxxxxxxx>
Date: Fri, 07 Feb 2020 16:51:27 -0000
Reply-to: Bug 1835114 <1835114@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
>From a cloud-init perspective, one area of concern is around
manipulation of sshd config.

Cloud-init does make changes to sshd config, in particular it controls
the PasswordAuthentication value based on cloud-config values,
ssh_pwauth: <yes/no/unchanged>.

Cloud-init will read in sshd, update a key/value and write out the file
and then restart the service.  See the code for details.

https://github.com/canonical/cloud-
init/blob/master/cloudinit/config/cc_set_passwords.py#L97

The second area of concern user confusion.  Typical work-flows for
cloud-init user-data include importing and setting ssh keys for users.
In the ec2-instance-connect workflow; the user-data cloud-init writes to
the instance won't actually be used, rather ec2-instance-connect will
query ec2 for what the current set of authorized keys.  The sshd man
page suggests that if the response does not include output that can
verify the key it will fallback to reading .ssh keys.  It's not clear to
me (or users) which keys were used to authorize access to the system.

I would also express additional concern in the area of time to ssh into
instances; with this feature enabled, there is additional overhead for
each and every ssh connection.

-- 
You received this bug notification because you are a member of cloud-
init Commiters, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1835114

Title:
  [MIR] ec2-instance-connect

Status in ec2-instance-connect package in Ubuntu:
  Incomplete

Bug description:
  [Availability]
  ec2-instance-connect is in the Ubuntu archive, and available for all supported releases. It is available on all architectures despite only being useful on Amazon EC2 instances.

  [Rationale]
  This package is useful on Amazon EC2 instances to make use of a new feature:
  Instance Connect; which allows storing SSH keys for access online in the Amazon systems. These SSH keys are then retrieved to be used by the system's SSH service, collated with pre-existing keys as deployed on the system.

  Installing the package enables the use of Instance Connect on an
  instance.

  [Security]
  This is a new package, and as such has no security history to speak of.

  [Quality Assurance]
  The package consists in a few shell scripts that are difficult to test by
  themselves due to the high reliance on Amazon's Instance Connect service;
  which is online and limited to use on Amazon instances.

  Given that it's a new package, there are no long-term outstanding bugs in
  Ubuntu or Debian. The package is only maintained in Ubuntu at the moment.

  This package deals with special "hardware"; it is only useful on Amazon
  instances, and its support is required as a default deployment on such
  instances when deployed with Ubuntu.

  [UI Standards]
  Not applicable. This service is command-line only and has no configuration options.

  [Dependencies]
  There are no special dependencies to speak of.

  [Standards Compliance]
  This package has been thoroughly reviewed by a few Canonical engineers, there are no standards violations known.

  [Maintenance]
  This package is to be owned by the Ubuntu Foundations team.

  [Background Information]
  This is Amazon-specific, as previously mentioned.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ec2-instance-connect/+bug/1835114/+subscriptions