@raharper Could you please check if you find my recent answers in #30
satisfying for your concerns?
--
You received this bug notification because you are a member of cloud-
init Commiters, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1835114
Title:
[MIR]
@raharper Could you please check if you find my recent answers in #30
satisfying for your concerns?
--
You received this bug notification because you are a member of cloud-
init Commiters, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1835114
Title:
[MIR]
@raharper Could you please check if you find my recent answers in #30
satisfying for your concerns?
--
You received this bug notification because you are a member of cloud-
init Commiters, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1835114
Title:
[MIR]
On the topic of testing raised in earlier comments. CPC will continue
with our baseline testing and for releases earlier than focal where we
will be pre-installing the package in AWS images with the service
disabled (opt-in) we will test that the service is correctly disabled.
This testing is
** Changed in: ec2-instance-connect (Ubuntu)
Assignee: (unassigned) => Matthias Klose (doko)
--
You received this bug notification because you are a member of cloud-
init Commiters, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1835114
Title:
[MIR]
@raharper Copying my answer in #27 again because it is not easily
readable due to answering in email:
On Thu, Feb 13, 2020 at 4:51 PM Ryan Harper <1835...@bugs.launchpad.net> wrote:
>
> On Thu, Feb 13, 2020 at 6:20 AM Balint Reczey
> wrote:
>
> > @raharper I agree with the concern regarding the
On Tue, Feb 25, 2020 at 04:21:05PM -, Balint Reczey wrote:
> This is a temporary key and it is indeed available to everyone being
> able to run curl on the system:
> https://www.reddit.com/r/aws/comments/85vkq6/question_about_accesskeyid_secretaccesskey_in/
>
> The package does not change the
Hi Seth,
Thanks for the new review.
On Fri, Feb 21, 2020 at 5:15 AM Seth Arnold <1835...@bugs.launchpad.net> wrote:
>
> This new version of ec2-instance-connect is significantly better, thanks
> for all the work.
>
> I was wrong about the dedicated user: using the ec2-instance-connect
> user is
On Thu, Feb 13, 2020 at 4:51 PM Ryan Harper <1835...@bugs.launchpad.net> wrote:
>
> On Thu, Feb 13, 2020 at 6:20 AM Balint Reczey
> wrote:
>
> > @raharper I agree with the concern regarding the manipulation of sshd
> > config. To minimize the collision with cloud-init this package does not
> >
This new version of ec2-instance-connect is significantly better, thanks
for all the work.
I was wrong about the dedicated user: using the ec2-instance-connect
user is definitely an improvement.
My one specific concern:
- AWS_SECRET_ACCESS_KEY (and the ability to get one) appears to be
The hex encoded version of the key is also passed to openssl:
$ echo abcdef0123456789 | /usr/bin/od -A n -t x1 | /bin/sed ':a;N;$!ba;s/[\n
]//g'
616263646566303132333435363738390a
$ aa-decode 616263646566303132333435363738390a
Decoded: abcdef0123456789
# Sign a message with a given key
# sign
printf is a shell built-in which does not exec a new process like echo;
I believe this is a reasonable replacement for use of echo -n
printf "%s" ${1}
Alternatively, if you drop the /bin/echo and use bash's built-in echo;
that also will work as it won't exec a new process.
--
You received this
That's got to be my one super-power -- asking a question and finding out
that no, I didn't find a bug, but by asking the question someone *else*
spots a bug.
How about this?
# Derive a sigv4 signing key for the given secret
# get_sigv4_key [key] [datestamp] [region name] [service name]
@seth-arnold The daemon-reload is added automatically by debhelper:
...
# Automatically added by dh_systemd_start/11.1.6ubuntu2
if [ -d /run/systemd/system ]; then
systemctl --system daemon-reload >/dev/null || true
fi
# End automatically added section
...
Since it is also added to the
Is the postrm script missing a systemctl daemon-reload?
==> postrm <==
#!/bin/sh
set -e
#DEBHELPER#
case "$1" in
purge|remove|abort-install|disappear)
deb-systemd-helper purge ec2-instance-connect
# Delete system user
deluser --system --quiet ec2-instance-connect
@seth-arnold could you please review the latest version? It would be
nice to have the Security Team's approval or the list of security-
related issues to be fixed to gain approval.
--
You received this bug notification because you are a member of cloud-
init Commiters, which is subscribed to the
On Thu, Feb 13, 2020 at 6:20 AM Balint Reczey
wrote:
> @raharper I agree with the concern regarding the manipulation of sshd
> config. To minimize the collision with cloud-init this package does not
> change /etc/ssh/sshd_config like cloud-init does, but overrides the
> configuration value with
@raharper I agree with the concern regarding the manipulation of sshd
config. To minimize the collision with cloud-init this package does not
change /etc/ssh/sshd_config like cloud-init does, but overrides the
configuration value with a systemd drop-in. The drop-in is placed at the
time the AMI is
I'm sorry that I have not yet returned to review the new version; this
is written without having read the new changes.
On Mon, Feb 10, 2020 at 11:33:27AM -, Christian Ehrhardt wrote:
> > > - the service should not run as root, use PrivateTmp and maybe a few
> > > other systemd service
** Bug watch added: github.com/aws/aws-ec2-instance-connect-config/issues #15
https://github.com/aws/aws-ec2-instance-connect-config/issues/15
--
You received this bug notification because you are a member of cloud-
init Commiters, which is subscribed to the bug report.
On Wed, Feb 5, 2020 at 10:55 PM Balint Reczey
wrote:
> @paelzer I attempt to answer the review comments below
>
Thank you @Rbalint for picking this up and driving it.
I'll skip sections that are ok now - thanks for adding/fixing all those!
> > - an ack by the cloud-init Team that this does
>From a cloud-init perspective, one area of concern is around
manipulation of sshd config.
Cloud-init does make changes to sshd config, in particular it controls
the PasswordAuthentication value based on cloud-config values,
ssh_pwauth: .
Cloud-init will read in sshd, update a key/value and
@paelzer I attempt to answer the review comments below
> [Summary]
> It seems mostly to me packaging wise, but I think there are a bunch of things
> needed to be doen to complete this. We need:
> - an ack by the cloud-init Team that this does not conflict with our usual
> services provided
Hi,
this was waiting for updates/fixes to a bunch of things as identified in former
reviews before being re-reviewed.
The correct state of this is "incomplete" until all that was requested is
provided.
(And even then it just means to restart review without guarantees to pass
cleanly).
**
** Tags added: id-5e21ca0949c79659969a46bd
--
You received this bug notification because you are a member of cloud-
init Commiters, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1835114
Title:
[MIR] ec2-instance-connect
Status in ec2-instance-connect package in
** Changed in: ec2-instance-connect (Ubuntu)
Assignee: Balint Reczey (rbalint) => (unassigned)
--
You received this bug notification because you are a member of cloud-
init Commiters, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1835114
Title:
[MIR]
** Tags added: id-5e1e340b6338410899d33213
--
You received this bug notification because you are a member of cloud-
init Commiters, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1835114
Title:
[MIR] ec2-instance-connect
Status in ec2-instance-connect package in
** Changed in: ec2-instance-connect (Ubuntu)
Status: Expired => New
** Changed in: ec2-instance-connect (Ubuntu)
Assignee: (unassigned) => Balint Reczey (rbalint)
** Description changed:
[Availability]
- ec2-instance-connect is in the Ubuntu archive, and available for all
I've been reminded that set -o pipefail is not perfect. I'm going to
quote from the excellent bash faq:
http://mywiki.wooledge.org/BashFAQ/105
> though with pipefail in effect, code like this will sometimes cause an
> error, depending on whether the output of somecmd exceeds the size of the
>
If this is going to be addressed via code changes rather than a rewrite,
I'd like to suggest the following order:
- remove all evals
- add set -o pipefail to help catch errors in pipelines
- add set -u to help catch unset variables
- replace /tmp/sigline with mktemp -d
Thanks
--
You received
[Expired for ec2-instance-connect (Ubuntu) because there has been no
activity for 60 days.]
** Changed in: ec2-instance-connect (Ubuntu)
Status: Incomplete => Expired
--
You received this bug notification because you are a member of cloud-
init Commiters, which is subscribed to the bug
** Attachment added: "shellcheck.txt"
https://bugs.launchpad.net/ubuntu/+source/ec2-instance-connect/+bug/1835114/+attachment/5282470/+files/shellcheck.txt
** Changed in: ec2-instance-connect (Ubuntu)
Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned)
--
You received this
At a high level I'm concerned about several parts of this tool's design:
- First, it puts an incredibly high level of trust in the metadata
service. This may make sense in the context of executing on the Amazon
platform, but is positively dangerous outside the Amazon platform. It's
Also while thinking about it, ~5-8 curl calls fro every SSH login can be quite
expensive.
I know it fortunately has an early exit but that still is 2 curl requests.
If this is installed in any place without the endpoint at
169.254.169.254 being responsive and super fast this could lead to a
very
Since before we had a lot of text @cloud-nit team - please review and
ack that this is no conflict with what/how cloud-init is/will provide.
--
You received this bug notification because you are a member of cloud-
init commiters, which is subscribed to the bug report.
[Summary]
It seems mostly to me packaging wise, but I think there are a bunch of things
needed to be doen to complete this. We need:
- an ack by the cloud-init Team that this does not conflict with our usual
services provided through cloud init
- I'm subscribing the cloud-init Team to give it
36 matches
Mail list logo
