cloud-init-dev team mailing list archive
-
cloud-init-dev team
-
Mailing list archive
-
Message #07314
Re: [Bug 1835114] Re: [MIR] ec2-instance-connect
Hi Seth,
Thanks for the new review.
On Fri, Feb 21, 2020 at 5:15 AM Seth Arnold <1835114@xxxxxxxxxxxxxxxxxx> wrote:
>
> This new version of ec2-instance-connect is significantly better, thanks
> for all the work.
>
> I was wrong about the dedicated user: using the ec2-instance-connect
> user is definitely an improvement.
>
> My one specific concern:
>
> - AWS_SECRET_ACCESS_KEY (and the ability to get one) appears to be
> available to all processes on the system. What does possession of this
> secret key mean? The hypervisor may not care, a guest is a guest is a
> guest, but users may care deeply. Do they?
This is a temporary key and it is indeed available to everyone being
able to run curl on the system:
https://www.reddit.com/r/aws/comments/85vkq6/question_about_accesskeyid_secretaccesskey_in/
The package does not change the availability of the key, so I believe
this is not a concern regarding the package, but a general concern
regarding EC2 instances.
> And two generic concerns:
>
> - Shell error handling is difficult. This code looks much safer than
> before but the language is not helpful here.
>
> - SSH access credentials are almost invisible: ps auxw | grep ssh will
> show the flow, as will an inspection of
> /lib/systemd/system/ssh.service.d/ec2-instance-connect.conf , but these
> are fairly subtle.
>
> These last two issues are more business decisions than security purview.
> Rewriting a tool isn't cheap and the work on this version was extensive.
> And all this effort must surely be because users have wanted an out-of-
> band authentication mechanism. Sufficiently advertising the new feature
> would allay my concern that it's very subtle.
Can I take this as an OK for the MIR, from the Security Team?
Thanks,
Balint
>
> Thanks
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1835114
>
> Title:
> [MIR] ec2-instance-connect
>
> Status in ec2-instance-connect package in Ubuntu:
> Incomplete
>
> Bug description:
> [Availability]
> ec2-instance-connect is in the Ubuntu archive, and available for all supported releases. It is available on all architectures despite only being useful on Amazon EC2 instances.
>
> [Rationale]
> This package is useful on Amazon EC2 instances to make use of a new feature:
> Instance Connect; which allows storing SSH keys for access online in the Amazon systems. These SSH keys are then retrieved to be used by the system's SSH service, collated with pre-existing keys as deployed on the system.
>
> Installing the package enables the use of Instance Connect on an
> instance.
>
> [Security]
> This is a new package, and as such has no security history to speak of.
>
> [Quality Assurance]
> The package consists in a few shell scripts that are difficult to test by
> themselves due to the high reliance on Amazon's Instance Connect service;
> which is online and limited to use on Amazon instances.
>
> Given that it's a new package, there are no long-term outstanding bugs in
> Ubuntu or Debian. The package is only maintained in Ubuntu at the moment.
>
> This package deals with special "hardware"; it is only useful on Amazon
> instances, and its support is required as a default deployment on such
> instances when deployed with Ubuntu.
>
> [UI Standards]
> Not applicable. This service is command-line only and has no configuration options.
>
> [Dependencies]
> There are no special dependencies to speak of.
>
> [Standards Compliance]
> This package has been thoroughly reviewed by a few Canonical engineers, there are no standards violations known.
>
> [Maintenance]
> This package is to be owned by the Ubuntu Foundations team.
>
> [Background Information]
> This is Amazon-specific, as previously mentioned.
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/ubuntu/+source/ec2-instance-connect/+bug/1835114/+subscriptions
--
Balint Reczey
Ubuntu & Debian Developer
--
You received this bug notification because you are a member of cloud-
init Commiters, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1835114
Title:
[MIR] ec2-instance-connect
Status in ec2-instance-connect package in Ubuntu:
Incomplete
Bug description:
[Availability]
ec2-instance-connect is in the Ubuntu archive, and available for all supported releases. It is available on all architectures despite only being useful on Amazon EC2 instances.
[Rationale]
This package is useful on Amazon EC2 instances to make use of a new feature:
Instance Connect; which allows storing SSH keys for access online in the Amazon systems. These SSH keys are then retrieved to be used by the system's SSH service, collated with pre-existing keys as deployed on the system.
Installing the package enables the use of Instance Connect on an
instance.
[Security]
This is a new package, and as such has no security history to speak of.
[Quality Assurance]
The package consists in a few shell scripts that are difficult to test by
themselves due to the high reliance on Amazon's Instance Connect service;
which is online and limited to use on Amazon instances.
Given that it's a new package, there are no long-term outstanding bugs in
Ubuntu or Debian. The package is only maintained in Ubuntu at the moment.
This package deals with special "hardware"; it is only useful on Amazon
instances, and its support is required as a default deployment on such
instances when deployed with Ubuntu.
[UI Standards]
Not applicable. This service is command-line only and has no configuration options.
[Dependencies]
There are no special dependencies to speak of.
[Standards Compliance]
This package has been thoroughly reviewed by a few Canonical engineers, there are no standards violations known.
[Maintenance]
This package is to be owned by the Ubuntu Foundations team.
[Background Information]
This is Amazon-specific, as previously mentioned.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ec2-instance-connect/+bug/1835114/+subscriptions
Follow ups
References
