** Description changed: - TODO + [Impact] + + The domain returned from IMDS is not verified if it was and AWS domain. + + [Test Cases] + + 0) Deploy an Amazon AWS instance with Instance Connect feature enabled + 1) Connect to the instance using Instance Connect, for example by pressing the "Connect" button on the web UI. + 2. Within a few ten seconds of connecting run (assuming using the ubuntu username): + + bash -x /usr/share/ec2-instance-connect/eic_curl_authorized_keys ubuntu + + 3) The debug output should show successful validation: + ... + ++ /usr/bin/curl -s -f -m 1 -H 'X-aws-ec2-metadata-token: ...XXX...==' http://169.254.169.254/latest/meta-data/services/domain/ + + domain=amazonaws.com + + domain_exit=0 + + '[' 0 -ne 0 ']' + + is_domain_valid=1 + + for valid_domain in amazonaws.com amazonaws.com.cn c2s.ic.gov sc2s.sgov.gov + + '[' amazonaws.com = amazonaws.com ']' + + is_domain_valid=0 + + break + + '[' 0 -eq 1 ']' + ++ /usr/bin/printf managed-ssh-signer.%s.%s us-east-2 amazonaws.com + ... + + [Regression Potential] + + The validation code can fail preventing connection to the VM. Considering that this is a very small amount of code an looks OK this is unlikely. + The validation could also falsely pass, but that would not be a regression since the validation was not there before.
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1904741 Title: Verify that domain returned from IMDS is an AWS domain To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ec2-instance-connect/+bug/1904741/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
