cloud-init-dev team mailing list archive

Thread
Date

[Bug 1835114] Re: [MIR] ec2-instance-connect

To: cloud-init-dev@xxxxxxxxxxxxxxxxxxx
From: Seth Arnold <1835114@xxxxxxxxxxxxxxxxxx>
Date: Fri, 21 Feb 2020 04:01:49 -0000
Reply-to: Bug 1835114 <1835114@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

This new version of ec2-instance-connect is significantly better, thanks
for all the work.

I was wrong about the dedicated user: using the ec2-instance-connect
user is definitely an improvement.

My one specific concern:

- AWS_SECRET_ACCESS_KEY (and the ability to get one) appears to be
available to all processes on the system. What does possession of this
secret key mean? The hypervisor may not care, a guest is a guest is a
guest, but users may care deeply. Do they?

And two generic concerns:

- Shell error handling is difficult. This code looks much safer than
before but the language is not helpful here.

- SSH access credentials are almost invisible: ps auxw | grep ssh will
show the flow, as will an inspection of
/lib/systemd/system/ssh.service.d/ec2-instance-connect.conf , but these
are fairly subtle.

These last two issues are more business decisions than security purview.
Rewriting a tool isn't cheap and the work on this version was extensive.
And all this effort must surely be because users have wanted an out-of-
band authentication mechanism. Sufficiently advertising the new feature
would allay my concern that it's very subtle.

Thanks

-- 
You received this bug notification because you are a member of cloud-
init Commiters, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1835114

Title:
  [MIR] ec2-instance-connect

Status in ec2-instance-connect package in Ubuntu:
  Incomplete

Bug description:
  [Availability]
  ec2-instance-connect is in the Ubuntu archive, and available for all supported releases. It is available on all architectures despite only being useful on Amazon EC2 instances.

  [Rationale]
  This package is useful on Amazon EC2 instances to make use of a new feature:
  Instance Connect; which allows storing SSH keys for access online in the Amazon systems. These SSH keys are then retrieved to be used by the system's SSH service, collated with pre-existing keys as deployed on the system.

  Installing the package enables the use of Instance Connect on an
  instance.

  [Security]
  This is a new package, and as such has no security history to speak of.

  [Quality Assurance]
  The package consists in a few shell scripts that are difficult to test by
  themselves due to the high reliance on Amazon's Instance Connect service;
  which is online and limited to use on Amazon instances.

  Given that it's a new package, there are no long-term outstanding bugs in
  Ubuntu or Debian. The package is only maintained in Ubuntu at the moment.

  This package deals with special "hardware"; it is only useful on Amazon
  instances, and its support is required as a default deployment on such
  instances when deployed with Ubuntu.

  [UI Standards]
  Not applicable. This service is command-line only and has no configuration options.

  [Dependencies]
  There are no special dependencies to speak of.

  [Standards Compliance]
  This package has been thoroughly reviewed by a few Canonical engineers, there are no standards violations known.

  [Maintenance]
  This package is to be owned by the Ubuntu Foundations team.

  [Background Information]
  This is Amazon-specific, as previously mentioned.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ec2-instance-connect/+bug/1835114/+subscriptions

Follow ups

Re: [Bug 1835114] Re: [MIR] ec2-instance-connect
From: Balint Reczey, 2020-02-25