cloud-init-dev team mailing list archive

Thread
Date
[Bug 1835114] Re: [MIR] ec2-instance-connect

To: cloud-init-dev@xxxxxxxxxxxxxxxxxxx
From: Seth Arnold <1835114@xxxxxxxxxxxxxxxxxx>
Date: Wed, 19 Feb 2020 03:47:16 -0000
Reply-to: Bug 1835114 <1835114@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
That's got to be my one super-power -- asking a question and finding out
that no, I didn't find a bug, but by asking the question someone *else*
spots a bug.

How about this?

# Derive a sigv4 signing key for the given secret
# get_sigv4_key [key] [datestamp] [region name] [service name]
getsigv4key () {
    base="$(/bin/echo -n "AWS4${1}" | /usr/bin/od -A n -t x1 | /bin/sed ':a;N;$!ba;s/[\n ]//g')"
    kdate="$(sign "${base}" "${2}")"
    kregion="$(sign "${kdate}" "${3}")"
    kservice="$(sign "${kregion}" "${4}")"
    sign "${kservice}" "aws4_request"
}


This appears to execute /bin/echo with a key as a parameter, where it may be visible to ps(1) output or /proc/*/cmdline.

What's the consequences of exposing this key to all users on the
computer?

Thanks

-- 
You received this bug notification because you are a member of cloud-
init Commiters, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1835114

Title:
  [MIR] ec2-instance-connect

Status in ec2-instance-connect package in Ubuntu:
  Incomplete

Bug description:
  [Availability]
  ec2-instance-connect is in the Ubuntu archive, and available for all supported releases. It is available on all architectures despite only being useful on Amazon EC2 instances.

  [Rationale]
  This package is useful on Amazon EC2 instances to make use of a new feature:
  Instance Connect; which allows storing SSH keys for access online in the Amazon systems. These SSH keys are then retrieved to be used by the system's SSH service, collated with pre-existing keys as deployed on the system.

  Installing the package enables the use of Instance Connect on an
  instance.

  [Security]
  This is a new package, and as such has no security history to speak of.

  [Quality Assurance]
  The package consists in a few shell scripts that are difficult to test by
  themselves due to the high reliance on Amazon's Instance Connect service;
  which is online and limited to use on Amazon instances.

  Given that it's a new package, there are no long-term outstanding bugs in
  Ubuntu or Debian. The package is only maintained in Ubuntu at the moment.

  This package deals with special "hardware"; it is only useful on Amazon
  instances, and its support is required as a default deployment on such
  instances when deployed with Ubuntu.

  [UI Standards]
  Not applicable. This service is command-line only and has no configuration options.

  [Dependencies]
  There are no special dependencies to speak of.

  [Standards Compliance]
  This package has been thoroughly reviewed by a few Canonical engineers, there are no standards violations known.

  [Maintenance]
  This package is to be owned by the Ubuntu Foundations team.

  [Background Information]
  This is Amazon-specific, as previously mentioned.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ec2-instance-connect/+bug/1835114/+subscriptions