cloud-init-dev team mailing list archive

Thread
Date
[Bug 1835114] Re: [MIR] ec2-instance-connect

To: cloud-init-dev@xxxxxxxxxxxxxxxxxxx
From: Seth Arnold <1835114@xxxxxxxxxxxxxxxxxx>
Date: Thu, 20 Feb 2020 01:14:12 -0000
Reply-to: Bug 1835114 <1835114@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
The hex encoded version of the key is also passed to openssl:

$ echo abcdef0123456789 | /usr/bin/od -A n -t x1 | /bin/sed ':a;N;$!ba;s/[\n ]//g'
616263646566303132333435363738390a
$ aa-decode 616263646566303132333435363738390a
Decoded: abcdef0123456789


# Sign a message with a given key
# sign [key] [msg]
sign () {
    /usr/bin/printf "${2}" | /usr/bin/openssl dgst -binary -hex -sha256 -mac HMAC -macopt hexkey:"${1}" | /bin/sed 's/.* //'
}

(See the hexkey: parameter)

This appears to come via:

AWS_SECRET_ACCESS_KEY=$(/bin/echo "${creds}" | /bin/sed -n
's/.*"SecretAccessKey" : "\(.*\)",/\1/p')


which is from:

creds=$(/usr/bin/curl -s -f -m 1 -H "X-aws-ec2-metadata-token:
${IMDS_TOKEN}" "http://169.254.169.254/latest/meta-data/identity-
credentials/ec2/security-credentials/ec2-instance/")

and IMDS_TOKEN appears to come from:

IMDS_TOKEN="$(/usr/bin/curl -s -f -m 1 -X PUT
"http://169.254.169.254/latest/api/token"; -H "X-aws-ec2-metadata-token-
ttl-seconds: 5")"

Replacing the echo binary with a shell built-in wouldn't hide this key
well.

Can any process on the system simply request such a token itself from
the aws metadata service?

What does knowledge of this key represent?

Thanks

-- 
You received this bug notification because you are a member of cloud-
init Commiters, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1835114

Title:
  [MIR] ec2-instance-connect

Status in ec2-instance-connect package in Ubuntu:
  Incomplete

Bug description:
  [Availability]
  ec2-instance-connect is in the Ubuntu archive, and available for all supported releases. It is available on all architectures despite only being useful on Amazon EC2 instances.

  [Rationale]
  This package is useful on Amazon EC2 instances to make use of a new feature:
  Instance Connect; which allows storing SSH keys for access online in the Amazon systems. These SSH keys are then retrieved to be used by the system's SSH service, collated with pre-existing keys as deployed on the system.

  Installing the package enables the use of Instance Connect on an
  instance.

  [Security]
  This is a new package, and as such has no security history to speak of.

  [Quality Assurance]
  The package consists in a few shell scripts that are difficult to test by
  themselves due to the high reliance on Amazon's Instance Connect service;
  which is online and limited to use on Amazon instances.

  Given that it's a new package, there are no long-term outstanding bugs in
  Ubuntu or Debian. The package is only maintained in Ubuntu at the moment.

  This package deals with special "hardware"; it is only useful on Amazon
  instances, and its support is required as a default deployment on such
  instances when deployed with Ubuntu.

  [UI Standards]
  Not applicable. This service is command-line only and has no configuration options.

  [Dependencies]
  There are no special dependencies to speak of.

  [Standards Compliance]
  This package has been thoroughly reviewed by a few Canonical engineers, there are no standards violations known.

  [Maintenance]
  This package is to be owned by the Ubuntu Foundations team.

  [Background Information]
  This is Amazon-specific, as previously mentioned.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ec2-instance-connect/+bug/1835114/+subscriptions