On 7/22/19 4:36 AM, paul wrote: > Hi all, > > I'm looking for a better way to manage SSH users and saw EC2 Instance > Connect which is apparently the way the world is going, but it only > officially supports Amazon Linux and Ubuntu. My current method for > distributing users is baking them into the SOE and (piecemeal) updating > later with Ansible. It's a little mucky. > > https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-connect-set-up.html > > > Are any listizens currently using EC2 Instance Connect with Debian? I'm > curious to know your thoughts. It looks a little needlessly complex but > it would mean managing users in IAM only instead of IAM + Ansible for me. > > Cheers, > > Paul Morahan > >
Hi Paul, I have nothing against this, though we'd need ec2-instance-connect to be in Debian. Currently, upstream packaging isn't optimal either (see for example the weirdo Pre-Depends: adduser in it, Homepage: field being defined in the wrong section, no build-depends, wrong postinst way to manage the .service, wrong way to package the .service file, etc.). So if we write a policy compliant package, get this in Debian, then why not having ec2-instance-connect in the default Debian AWS image? This may only happen when Bullseye gets released though, since that new package wont be in Buster. BTW, I hate the default Ansible ssh user handling, where you define users that you want to add or remove, instead of a set of users that you want to be authorized. This is in many ways backward. For this reason, we're sticking to our puppet definition of authorized_keys, so we don't have the risk to forget removing a user. Cheers, Thomas Goirand (zigo)
