It's a mixed bag, from what I've seen. Google, AWS and Azure all have different ways of doing this: SSH external commands [1], standalone daemons [2], PAM/NSS modules [3][4], in addition to bring and use your own domain server [5].
Identity can range from baked in to provisioned just-in-time with all sorts of custom logic, relying on cloud-init, etc. Like everything else, there's a group of people that will reimage instead of SSH in, another group that will use an SSH CA for auditing, another that needs consistent uid/gid for file shares... and anything in between. [1] https://github.com/aws/aws-ec2-instance-connect-config [2] https://github.com/GoogleCloudPlatform/compute-image-packages/tree/master/packages/python-google-compute-engine/google_compute_engine/accounts [3] https://packages.microsoft.com/ubuntu/18.10/prod/pool/main/a/aadlogin/ [4] https://github.com/GoogleCloudPlatform/compute-image-packages/tree/master/packages/google-compute-engine-oslogin [5] https://docs.microsoft.com/en-us/azure/active-directory-domain-services/join-rhel-linux-vm ________________________________________ From: paul <[email protected]> Sent: Sunday, July 21, 2019 7:36 PM To: [email protected] Subject: Experiences with AWS's EC2 Instance Connect and Debian? Hi all, I'm looking for a better way to manage SSH users and saw EC2 Instance Connect which is apparently the way the world is going, but it only officially supports Amazon Linux and Ubuntu. My current method for distributing users is baking them into the SOE and (piecemeal) updating later with Ansible. It's a little mucky. https://eur04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.aws.amazon.com%2FAWSEC2%2Flatest%2FUserGuide%2Fec2-instance-connect-set-up.html&data=02%7C01%7C%7Cb08fbb854dab49f2eed908d70e4d7801%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636993598192558316&sdata=BlxhEjKjqUNlTXCbhRocl4uq4bCjEXr91GRMnfcIDj8%3D&reserved=0 Are any listizens currently using EC2 Instance Connect with Debian? I'm curious to know your thoughts. It looks a little needlessly complex but it would mean managing users in IAM only instead of IAM + Ansible for me. Cheers, Paul Morahan
