[Cloud-init-dev] [Bug 1835114] Re: [MIR] ec2-instance-connect
At a high level I'm concerned about several parts of this tool's design:
- First, it puts an incredibly high level of trust in the metadata
service. This may make sense in the context of executing on the Amazon
platform, but is positively dangerous outside the Amazon platform. It's
extremely risky in the event that someone's networking routes are
incorrect on AWS -- consider a VPN that is configured to send 1.0.0.0/1
and 128.0.0.0/1 to a remote peer, in order to send *all* data elsewhere.
This tool will directly execute anything returned from the metadata
service with no logging or accounting or access controls.
This is far beyond what users may reasonably expect: that this would
manage authorized_keys and nothing else.
The pervasive use of eval is inappropriate.
- Second, this is implemented in shell and is beyond the complexity level
appropriate to shell. Many of the commands in shell pipelines could
fail without the scripts noticing.
(It's a significantly smaller point, but the CPU and disk use of this
tool would be larger than a purpose-built executable in a higher-level
language like Go, Python, etc.)
- Third, this is re-implementing much of the functionality of the OpenSSH
certificate support introduced in 2010. What features does this provide
that's not present in OpenSSH already?
- Fourth, shellcheck found many issues, most of which deserve to be fixed.
There's repeated instances of missing "" quotes around variables.
Some of the issues in the programs:
- Incorrect use of printf in eic_harvest_hostkeys -- variables interpolated
into the format string.
- eic_harvest_hostkeys uses eval for string to number conversion, rather
than using string comparisons
- eic_harvest_hostkeys uses eval to execute something straight from the
metadata service
- what does awk '{$1=$1};1' do? Why use cat? This should work: key="$(<
$file)"
- what's the point of unsetting environment variables when bash is
exiting?
- eic_parse_authorized_keys uses CN string comparisons -- why? Is this a
useful security control? If the openssl command fails entirely, the CN
string check is bypassed. Is this a problem?
- eic_parse_authorized_keys appears to use $tmpdir extensively but if none
is given on the command line, it does not fail. Probably its behaviour
if -d tmpdir is forgotten will be poor. There's no trap to clean up
temporary files or directories on unexpected exits.
- eic_parse_authorized_keys: if CN contains \r \n \t \v whitespace tokens can
be inserted into future commands lines via use of 'echo'. Other escape
sequences may have other consequences.
- eic_parse_authorized_keys use of hardcoded /tmp/sigline is a security
vulnerability on kernels without protected symlinks support.
- eic_parse_authorized_keys doesn't check if fingerprint's commands
succeed
- eic_parse_authorized_keys doesn't have else clauses if the base64 or the
openssl dgst commands don't work
- eic_curl_authorized_keys uses eval for string to number conversion
- eic_curl_authorized_keys uses eval to execute something straight from
metadata service
- eic_curl_authorized_keys unused variables: signerkeyfile keysfile
- eic_curl_authorized_keys calling into $DIR/eic_parse_authorized_keys
with the complicated mechanism to pass openssl commands, tmpdir, etc
looks very brittle and prone to error under maintenance
And some issues in the packaging:
- Why does the preinst install a user? I don't believe I saw it used
- prerm could skip the ls -A check and run
rmdir --ignore-fail-on-non-empty /lib/systemd/system/ssh.service.d
This program has grown beyond what's appropriate for shell scripts.
Furthermore, I believe OpenSSH certificates is the better solution to the
problem that this program is addressing.
I strongly recommend using the OpenSSH certificates instead.
I don't believe that we should ship this package with Ubuntu.
Thanks
--
You received this bug notification because you are a member of cloud-
init commiters, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1835114
Title:
[MIR] ec2-instance-connect
Status in ec2-instance-connect package in Ubuntu:
Incomplete
Bug description:
[Availability]
ec2-instance-connect is in the Ubuntu archive, and available for all supported
releases. It is available on all architectures despite only being useful on
Amazon EC2 instances.
[Rationale]
This package is useful on Amazon EC2 instances to make use of a new feature:
Instance Connect; which allows storing SSH keys for access online in the
Amazon
systems. These SSH keys are then retrieved to be used by the system's SSH
service, collated with pre-existing keys as deployed on the system.
Installing the package enables the use of Instance Connect on an
instance.
[Security]
This is a new package, and as such has no security history to speak of.
[Quality Assurance]
The package consists in a few shell scripts that a
[Cloud-init-dev] [Bug 1835114] Re: [MIR] ec2-instance-connect
** Attachment added: "shellcheck.txt" https://bugs.launchpad.net/ubuntu/+source/ec2-instance-connect/+bug/1835114/+attachment/5282470/+files/shellcheck.txt ** Changed in: ec2-instance-connect (Ubuntu) Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned) -- You received this bug notification because you are a member of cloud- init commiters, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1835114 Title: [MIR] ec2-instance-connect Status in ec2-instance-connect package in Ubuntu: Incomplete Bug description: [Availability] ec2-instance-connect is in the Ubuntu archive, and available for all supported releases. It is available on all architectures despite only being useful on Amazon EC2 instances. [Rationale] This package is useful on Amazon EC2 instances to make use of a new feature: Instance Connect; which allows storing SSH keys for access online in the Amazon systems. These SSH keys are then retrieved to be used by the system's SSH service, collated with pre-existing keys as deployed on the system. Installing the package enables the use of Instance Connect on an instance. [Security] This is a new package, and as such has no security history to speak of. [Quality Assurance] The package consists in a few shell scripts that are difficult to test by themselves due to the high reliance on Amazon's Instance Connect service; which is online and limited to use on Amazon instances. Given that it's a new package, there are no long-term outstanding bugs in Ubuntu or Debian. The package is only maintained in Ubuntu at the moment. This package deals with special "hardware"; it is only useful on Amazon instances, and its support is required as a default deployment on such instances when deployed with Ubuntu. [UI Standards] Not applicable. This service is command-line only and has no configuration options. [Dependencies] There are no special dependencies to speak of. [Standards Compliance] This package has been thoroughly reviewed by a few Canonical engineers, there are no standards violations known. [Maintenance] This package is to be owned by the Ubuntu Foundations team. [Background Information] This is Amazon-specific, as previously mentioned. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ec2-instance-connect/+bug/1835114/+subscriptions ___ Mailing list: https://launchpad.net/~cloud-init-dev Post to : cloud-init-dev@lists.launchpad.net Unsubscribe : https://launchpad.net/~cloud-init-dev More help : https://help.launchpad.net/ListHelp
[Cloud-init-dev] [Bug 1835114] Re: [MIR] ec2-instance-connect
If this is going to be addressed via code changes rather than a rewrite, I'd like to suggest the following order: - remove all evals - add set -o pipefail to help catch errors in pipelines - add set -u to help catch unset variables - replace /tmp/sigline with mktemp -d Thanks -- You received this bug notification because you are a member of cloud- init Commiters, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1835114 Title: [MIR] ec2-instance-connect Status in ec2-instance-connect package in Ubuntu: Expired Bug description: [Availability] ec2-instance-connect is in the Ubuntu archive, and available for all supported releases. It is available on all architectures despite only being useful on Amazon EC2 instances. [Rationale] This package is useful on Amazon EC2 instances to make use of a new feature: Instance Connect; which allows storing SSH keys for access online in the Amazon systems. These SSH keys are then retrieved to be used by the system's SSH service, collated with pre-existing keys as deployed on the system. Installing the package enables the use of Instance Connect on an instance. [Security] This is a new package, and as such has no security history to speak of. [Quality Assurance] The package consists in a few shell scripts that are difficult to test by themselves due to the high reliance on Amazon's Instance Connect service; which is online and limited to use on Amazon instances. Given that it's a new package, there are no long-term outstanding bugs in Ubuntu or Debian. The package is only maintained in Ubuntu at the moment. This package deals with special "hardware"; it is only useful on Amazon instances, and its support is required as a default deployment on such instances when deployed with Ubuntu. [UI Standards] Not applicable. This service is command-line only and has no configuration options. [Dependencies] There are no special dependencies to speak of. [Standards Compliance] This package has been thoroughly reviewed by a few Canonical engineers, there are no standards violations known. [Maintenance] This package is to be owned by the Ubuntu Foundations team. [Background Information] This is Amazon-specific, as previously mentioned. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ec2-instance-connect/+bug/1835114/+subscriptions ___ Mailing list: https://launchpad.net/~cloud-init-dev Post to : cloud-init-dev@lists.launchpad.net Unsubscribe : https://launchpad.net/~cloud-init-dev More help : https://help.launchpad.net/ListHelp
[Cloud-init-dev] [Bug 1835114] Re: [MIR] ec2-instance-connect
I've been reminded that set -o pipefail is not perfect. I'm going to quote from the excellent bash faq: http://mywiki.wooledge.org/BashFAQ/105 > though with pipefail in effect, code like this will sometimes cause an > error, depending on whether the output of somecmd exceeds the size of the > pipe buffer or not: >$ >1 set -e -o pipefail >2 somecmd | head -n1 >3 # The following command will sometimes be executed, depending on how > much output somecmd writes: >4 echo survived Thanks -- You received this bug notification because you are a member of cloud- init Commiters, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1835114 Title: [MIR] ec2-instance-connect Status in ec2-instance-connect package in Ubuntu: Expired Bug description: [Availability] ec2-instance-connect is in the Ubuntu archive, and available for all supported releases. It is available on all architectures despite only being useful on Amazon EC2 instances. [Rationale] This package is useful on Amazon EC2 instances to make use of a new feature: Instance Connect; which allows storing SSH keys for access online in the Amazon systems. These SSH keys are then retrieved to be used by the system's SSH service, collated with pre-existing keys as deployed on the system. Installing the package enables the use of Instance Connect on an instance. [Security] This is a new package, and as such has no security history to speak of. [Quality Assurance] The package consists in a few shell scripts that are difficult to test by themselves due to the high reliance on Amazon's Instance Connect service; which is online and limited to use on Amazon instances. Given that it's a new package, there are no long-term outstanding bugs in Ubuntu or Debian. The package is only maintained in Ubuntu at the moment. This package deals with special "hardware"; it is only useful on Amazon instances, and its support is required as a default deployment on such instances when deployed with Ubuntu. [UI Standards] Not applicable. This service is command-line only and has no configuration options. [Dependencies] There are no special dependencies to speak of. [Standards Compliance] This package has been thoroughly reviewed by a few Canonical engineers, there are no standards violations known. [Maintenance] This package is to be owned by the Ubuntu Foundations team. [Background Information] This is Amazon-specific, as previously mentioned. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ec2-instance-connect/+bug/1835114/+subscriptions ___ Mailing list: https://launchpad.net/~cloud-init-dev Post to : cloud-init-dev@lists.launchpad.net Unsubscribe : https://launchpad.net/~cloud-init-dev More help : https://help.launchpad.net/ListHelp
Re: [Cloud-init-dev] [Bug 1835114] Re: [MIR] ec2-instance-connect
I'm sorry that I have not yet returned to review the new version; this is written without having read the new changes. On Mon, Feb 10, 2020 at 11:33:27AM -, Christian Ehrhardt wrote: > > > - the service should not run as root, use PrivateTmp and maybe a few > > > other systemd service isolations > > > > I've forwarded this recommendation, too: > > https://github.com/aws/aws-ec2-instance-connect-config/issues/14 > > > > Thanks for forwarding, but IMHO it needs to be resolved before promotion. > I'm sure security would prefer having that as well - @sarnold - opinions on > this detail? I'm less sure: I also have the instinct to run new services in new user ids but this authentication mechanism will allow (or forbid) logins root privileges. If it is compromised it can grant root privileges. If it is broken it can prevent legitimate users from gaining root privileges when needed. It's very nearly root-equivalent regardless of how it runs. Using a different user account increases the complexity, which this service already has in spades. However, a different user account may limit what resources are silently or invisibly used by the service, which may limit future complexity growth. > If "it will only be on EC2" would be a hard fact we can rely upon it would > not need the majority of pre-checks at all. I'm concerned about system images being shared amongst private and public clouds, or different public clouds, or between public clouds and local development. I know those checks are burdensome but I would rather have them than not. If this service runs elsewhere it may represent an instant remote code execution mechanism. Thanks -- You received this bug notification because you are a member of cloud- init Commiters, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1835114 Title: [MIR] ec2-instance-connect Status in ec2-instance-connect package in Ubuntu: Incomplete Bug description: [Availability] ec2-instance-connect is in the Ubuntu archive, and available for all supported releases. It is available on all architectures despite only being useful on Amazon EC2 instances. [Rationale] This package is useful on Amazon EC2 instances to make use of a new feature: Instance Connect; which allows storing SSH keys for access online in the Amazon systems. These SSH keys are then retrieved to be used by the system's SSH service, collated with pre-existing keys as deployed on the system. Installing the package enables the use of Instance Connect on an instance. [Security] This is a new package, and as such has no security history to speak of. [Quality Assurance] The package consists in a few shell scripts that are difficult to test by themselves due to the high reliance on Amazon's Instance Connect service; which is online and limited to use on Amazon instances. Given that it's a new package, there are no long-term outstanding bugs in Ubuntu or Debian. The package is only maintained in Ubuntu at the moment. This package deals with special "hardware"; it is only useful on Amazon instances, and its support is required as a default deployment on such instances when deployed with Ubuntu. [UI Standards] Not applicable. This service is command-line only and has no configuration options. [Dependencies] There are no special dependencies to speak of. [Standards Compliance] This package has been thoroughly reviewed by a few Canonical engineers, there are no standards violations known. [Maintenance] This package is to be owned by the Ubuntu Foundations team. [Background Information] This is Amazon-specific, as previously mentioned. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ec2-instance-connect/+bug/1835114/+subscriptions ___ Mailing list: https://launchpad.net/~cloud-init-dev Post to : cloud-init-dev@lists.launchpad.net Unsubscribe : https://launchpad.net/~cloud-init-dev More help : https://help.launchpad.net/ListHelp
[Cloud-init-dev] [Bug 1835114] Re: [MIR] ec2-instance-connect
Is the postrm script missing a systemctl daemon-reload? ==> postrm <== #!/bin/sh set -e #DEBHELPER# case "$1" in purge|remove|abort-install|disappear) deb-systemd-helper purge ec2-instance-connect # Delete system user deluser --system --quiet ec2-instance-connect echo "Deleted system user ec2-instance-connect" # restart ssh since the drop-in disappeared deb-systemd-invoke restart ssh.service ;; *) exit 0 ;; esac The postinst file has: systemctl --system daemon-reload >/dev/null || true as part of starting the service. Thanks -- You received this bug notification because you are a member of cloud- init Commiters, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1835114 Title: [MIR] ec2-instance-connect Status in ec2-instance-connect package in Ubuntu: Incomplete Bug description: [Availability] ec2-instance-connect is in the Ubuntu archive, and available for all supported releases. It is available on all architectures despite only being useful on Amazon EC2 instances. [Rationale] This package is useful on Amazon EC2 instances to make use of a new feature: Instance Connect; which allows storing SSH keys for access online in the Amazon systems. These SSH keys are then retrieved to be used by the system's SSH service, collated with pre-existing keys as deployed on the system. Installing the package enables the use of Instance Connect on an instance. [Security] This is a new package, and as such has no security history to speak of. [Quality Assurance] The package consists in a few shell scripts that are difficult to test by themselves due to the high reliance on Amazon's Instance Connect service; which is online and limited to use on Amazon instances. Given that it's a new package, there are no long-term outstanding bugs in Ubuntu or Debian. The package is only maintained in Ubuntu at the moment. This package deals with special "hardware"; it is only useful on Amazon instances, and its support is required as a default deployment on such instances when deployed with Ubuntu. [UI Standards] Not applicable. This service is command-line only and has no configuration options. [Dependencies] There are no special dependencies to speak of. [Standards Compliance] This package has been thoroughly reviewed by a few Canonical engineers, there are no standards violations known. [Maintenance] This package is to be owned by the Ubuntu Foundations team. [Background Information] This is Amazon-specific, as previously mentioned. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ec2-instance-connect/+bug/1835114/+subscriptions ___ Mailing list: https://launchpad.net/~cloud-init-dev Post to : cloud-init-dev@lists.launchpad.net Unsubscribe : https://launchpad.net/~cloud-init-dev More help : https://help.launchpad.net/ListHelp
[Cloud-init-dev] [Bug 1835114] Re: [MIR] ec2-instance-connect
That's got to be my one super-power -- asking a question and finding out
that no, I didn't find a bug, but by asking the question someone *else*
spots a bug.
How about this?
# Derive a sigv4 signing key for the given secret
# get_sigv4_key [key] [datestamp] [region name] [service name]
getsigv4key () {
base="$(/bin/echo -n "AWS4${1}" | /usr/bin/od -A n -t x1 | /bin/sed
':a;N;$!ba;s/[\n ]//g')"
kdate="$(sign "${base}" "${2}")"
kregion="$(sign "${kdate}" "${3}")"
kservice="$(sign "${kregion}" "${4}")"
sign "${kservice}" "aws4_request"
}
This appears to execute /bin/echo with a key as a parameter, where it may be
visible to ps(1) output or /proc/*/cmdline.
What's the consequences of exposing this key to all users on the
computer?
Thanks
--
You received this bug notification because you are a member of cloud-
init Commiters, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1835114
Title:
[MIR] ec2-instance-connect
Status in ec2-instance-connect package in Ubuntu:
Incomplete
Bug description:
[Availability]
ec2-instance-connect is in the Ubuntu archive, and available for all
supported releases. It is available on all architectures despite only being
useful on Amazon EC2 instances.
[Rationale]
This package is useful on Amazon EC2 instances to make use of a new feature:
Instance Connect; which allows storing SSH keys for access online in the
Amazon systems. These SSH keys are then retrieved to be used by the system's
SSH service, collated with pre-existing keys as deployed on the system.
Installing the package enables the use of Instance Connect on an
instance.
[Security]
This is a new package, and as such has no security history to speak of.
[Quality Assurance]
The package consists in a few shell scripts that are difficult to test by
themselves due to the high reliance on Amazon's Instance Connect service;
which is online and limited to use on Amazon instances.
Given that it's a new package, there are no long-term outstanding bugs in
Ubuntu or Debian. The package is only maintained in Ubuntu at the moment.
This package deals with special "hardware"; it is only useful on Amazon
instances, and its support is required as a default deployment on such
instances when deployed with Ubuntu.
[UI Standards]
Not applicable. This service is command-line only and has no configuration
options.
[Dependencies]
There are no special dependencies to speak of.
[Standards Compliance]
This package has been thoroughly reviewed by a few Canonical engineers, there
are no standards violations known.
[Maintenance]
This package is to be owned by the Ubuntu Foundations team.
[Background Information]
This is Amazon-specific, as previously mentioned.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ec2-instance-connect/+bug/1835114/+subscriptions
___
Mailing list: https://launchpad.net/~cloud-init-dev
Post to : cloud-init-dev@lists.launchpad.net
Unsubscribe : https://launchpad.net/~cloud-init-dev
More help : https://help.launchpad.net/ListHelp
[Cloud-init-dev] [Bug 1835114] Re: [MIR] ec2-instance-connect
The hex encoded version of the key is also passed to openssl:
$ echo abcdef0123456789 | /usr/bin/od -A n -t x1 | /bin/sed ':a;N;$!ba;s/[\n
]//g'
616263646566303132333435363738390a
$ aa-decode 616263646566303132333435363738390a
Decoded: abcdef0123456789
# Sign a message with a given key
# sign [key] [msg]
sign () {
/usr/bin/printf "${2}" | /usr/bin/openssl dgst -binary -hex -sha256 -mac
HMAC -macopt hexkey:"${1}" | /bin/sed 's/.* //'
}
(See the hexkey: parameter)
This appears to come via:
AWS_SECRET_ACCESS_KEY=$(/bin/echo "${creds}" | /bin/sed -n
's/.*"SecretAccessKey" : "\(.*\)",/\1/p')
which is from:
creds=$(/usr/bin/curl -s -f -m 1 -H "X-aws-ec2-metadata-token:
${IMDS_TOKEN}" "http://169.254.169.254/latest/meta-data/identity-
credentials/ec2/security-credentials/ec2-instance/")
and IMDS_TOKEN appears to come from:
IMDS_TOKEN="$(/usr/bin/curl -s -f -m 1 -X PUT
"http://169.254.169.254/latest/api/token"; -H "X-aws-ec2-metadata-token-
ttl-seconds: 5")"
Replacing the echo binary with a shell built-in wouldn't hide this key
well.
Can any process on the system simply request such a token itself from
the aws metadata service?
What does knowledge of this key represent?
Thanks
--
You received this bug notification because you are a member of cloud-
init Commiters, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1835114
Title:
[MIR] ec2-instance-connect
Status in ec2-instance-connect package in Ubuntu:
Incomplete
Bug description:
[Availability]
ec2-instance-connect is in the Ubuntu archive, and available for all
supported releases. It is available on all architectures despite only being
useful on Amazon EC2 instances.
[Rationale]
This package is useful on Amazon EC2 instances to make use of a new feature:
Instance Connect; which allows storing SSH keys for access online in the
Amazon systems. These SSH keys are then retrieved to be used by the system's
SSH service, collated with pre-existing keys as deployed on the system.
Installing the package enables the use of Instance Connect on an
instance.
[Security]
This is a new package, and as such has no security history to speak of.
[Quality Assurance]
The package consists in a few shell scripts that are difficult to test by
themselves due to the high reliance on Amazon's Instance Connect service;
which is online and limited to use on Amazon instances.
Given that it's a new package, there are no long-term outstanding bugs in
Ubuntu or Debian. The package is only maintained in Ubuntu at the moment.
This package deals with special "hardware"; it is only useful on Amazon
instances, and its support is required as a default deployment on such
instances when deployed with Ubuntu.
[UI Standards]
Not applicable. This service is command-line only and has no configuration
options.
[Dependencies]
There are no special dependencies to speak of.
[Standards Compliance]
This package has been thoroughly reviewed by a few Canonical engineers, there
are no standards violations known.
[Maintenance]
This package is to be owned by the Ubuntu Foundations team.
[Background Information]
This is Amazon-specific, as previously mentioned.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ec2-instance-connect/+bug/1835114/+subscriptions
___
Mailing list: https://launchpad.net/~cloud-init-dev
Post to : cloud-init-dev@lists.launchpad.net
Unsubscribe : https://launchpad.net/~cloud-init-dev
More help : https://help.launchpad.net/ListHelp
[Cloud-init-dev] [Bug 1835114] Re: [MIR] ec2-instance-connect
This new version of ec2-instance-connect is significantly better, thanks for all the work. I was wrong about the dedicated user: using the ec2-instance-connect user is definitely an improvement. My one specific concern: - AWS_SECRET_ACCESS_KEY (and the ability to get one) appears to be available to all processes on the system. What does possession of this secret key mean? The hypervisor may not care, a guest is a guest is a guest, but users may care deeply. Do they? And two generic concerns: - Shell error handling is difficult. This code looks much safer than before but the language is not helpful here. - SSH access credentials are almost invisible: ps auxw | grep ssh will show the flow, as will an inspection of /lib/systemd/system/ssh.service.d/ec2-instance-connect.conf , but these are fairly subtle. These last two issues are more business decisions than security purview. Rewriting a tool isn't cheap and the work on this version was extensive. And all this effort must surely be because users have wanted an out-of- band authentication mechanism. Sufficiently advertising the new feature would allay my concern that it's very subtle. Thanks -- You received this bug notification because you are a member of cloud- init Commiters, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1835114 Title: [MIR] ec2-instance-connect Status in ec2-instance-connect package in Ubuntu: Incomplete Bug description: [Availability] ec2-instance-connect is in the Ubuntu archive, and available for all supported releases. It is available on all architectures despite only being useful on Amazon EC2 instances. [Rationale] This package is useful on Amazon EC2 instances to make use of a new feature: Instance Connect; which allows storing SSH keys for access online in the Amazon systems. These SSH keys are then retrieved to be used by the system's SSH service, collated with pre-existing keys as deployed on the system. Installing the package enables the use of Instance Connect on an instance. [Security] This is a new package, and as such has no security history to speak of. [Quality Assurance] The package consists in a few shell scripts that are difficult to test by themselves due to the high reliance on Amazon's Instance Connect service; which is online and limited to use on Amazon instances. Given that it's a new package, there are no long-term outstanding bugs in Ubuntu or Debian. The package is only maintained in Ubuntu at the moment. This package deals with special "hardware"; it is only useful on Amazon instances, and its support is required as a default deployment on such instances when deployed with Ubuntu. [UI Standards] Not applicable. This service is command-line only and has no configuration options. [Dependencies] There are no special dependencies to speak of. [Standards Compliance] This package has been thoroughly reviewed by a few Canonical engineers, there are no standards violations known. [Maintenance] This package is to be owned by the Ubuntu Foundations team. [Background Information] This is Amazon-specific, as previously mentioned. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ec2-instance-connect/+bug/1835114/+subscriptions ___ Mailing list: https://launchpad.net/~cloud-init-dev Post to : cloud-init-dev@lists.launchpad.net Unsubscribe : https://launchpad.net/~cloud-init-dev More help : https://help.launchpad.net/ListHelp
Re: [Cloud-init-dev] [Bug 1835114] Re: [MIR] ec2-instance-connect
On Tue, Feb 25, 2020 at 04:21:05PM -, Balint Reczey wrote: > This is a temporary key and it is indeed available to everyone being > able to run curl on the system: > https://www.reddit.com/r/aws/comments/85vkq6/question_about_accesskeyid_secretaccesskey_in/ > > The package does not change the availability of the key, so I believe > this is not a concern regarding the package, but a general concern > regarding EC2 instances. Excellent, this is exactly the confirmation that this is expected. > Can I take this as an OK for the MIR, from the Security Team? Yes, security team ACK for promoting ec2-instance-connect to main, with the understanding that it shouldn't be seeded in generic media. Thanks -- You received this bug notification because you are a member of cloud- init Commiters, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1835114 Title: [MIR] ec2-instance-connect Status in ec2-instance-connect package in Ubuntu: Incomplete Bug description: [Availability] ec2-instance-connect is in the Ubuntu archive, and available for all supported releases. It is available on all architectures despite only being useful on Amazon EC2 instances. [Rationale] This package is useful on Amazon EC2 instances to make use of a new feature: Instance Connect; which allows storing SSH keys for access online in the Amazon systems. These SSH keys are then retrieved to be used by the system's SSH service, collated with pre-existing keys as deployed on the system. Installing the package enables the use of Instance Connect on an instance. [Security] This is a new package, and as such has no security history to speak of. [Quality Assurance] The package consists in a few shell scripts that are difficult to test by themselves due to the high reliance on Amazon's Instance Connect service; which is online and limited to use on Amazon instances. Given that it's a new package, there are no long-term outstanding bugs in Ubuntu or Debian. The package is only maintained in Ubuntu at the moment. This package deals with special "hardware"; it is only useful on Amazon instances, and its support is required as a default deployment on such instances when deployed with Ubuntu. [UI Standards] Not applicable. This service is command-line only and has no configuration options. [Dependencies] There are no special dependencies to speak of. [Standards Compliance] This package has been thoroughly reviewed by a few Canonical engineers, there are no standards violations known. [Maintenance] This package is to be owned by the Ubuntu Foundations team. [Background Information] This is Amazon-specific, as previously mentioned. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ec2-instance-connect/+bug/1835114/+subscriptions ___ Mailing list: https://launchpad.net/~cloud-init-dev Post to : cloud-init-dev@lists.launchpad.net Unsubscribe : https://launchpad.net/~cloud-init-dev More help : https://help.launchpad.net/ListHelp
