That's got to be my one super-power -- asking a question and finding out
that no, I didn't find a bug, but by asking the question someone *else*
spots a bug.
How about this?
# Derive a sigv4 signing key for the given secret
# get_sigv4_key [key] [datestamp] [region name] [service name]
getsigv4key () {
base="$(/bin/echo -n "AWS4${1}" | /usr/bin/od -A n -t x1 | /bin/sed
':a;N;$!ba;s/[\n ]//g')"
kdate="$(sign "${base}" "${2}")"
kregion="$(sign "${kdate}" "${3}")"
kservice="$(sign "${kregion}" "${4}")"
sign "${kservice}" "aws4_request"
}
This appears to execute /bin/echo with a key as a parameter, where it may be
visible to ps(1) output or /proc/*/cmdline.
What's the consequences of exposing this key to all users on the
computer?
Thanks
--
You received this bug notification because you are a member of cloud-
init Commiters, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1835114
Title:
[MIR] ec2-instance-connect
Status in ec2-instance-connect package in Ubuntu:
Incomplete
Bug description:
[Availability]
ec2-instance-connect is in the Ubuntu archive, and available for all
supported releases. It is available on all architectures despite only being
useful on Amazon EC2 instances.
[Rationale]
This package is useful on Amazon EC2 instances to make use of a new feature:
Instance Connect; which allows storing SSH keys for access online in the
Amazon systems. These SSH keys are then retrieved to be used by the system's
SSH service, collated with pre-existing keys as deployed on the system.
Installing the package enables the use of Instance Connect on an
instance.
[Security]
This is a new package, and as such has no security history to speak of.
[Quality Assurance]
The package consists in a few shell scripts that are difficult to test by
themselves due to the high reliance on Amazon's Instance Connect service;
which is online and limited to use on Amazon instances.
Given that it's a new package, there are no long-term outstanding bugs in
Ubuntu or Debian. The package is only maintained in Ubuntu at the moment.
This package deals with special "hardware"; it is only useful on Amazon
instances, and its support is required as a default deployment on such
instances when deployed with Ubuntu.
[UI Standards]
Not applicable. This service is command-line only and has no configuration
options.
[Dependencies]
There are no special dependencies to speak of.
[Standards Compliance]
This package has been thoroughly reviewed by a few Canonical engineers, there
are no standards violations known.
[Maintenance]
This package is to be owned by the Ubuntu Foundations team.
[Background Information]
This is Amazon-specific, as previously mentioned.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ec2-instance-connect/+bug/1835114/+subscriptions
_______________________________________________
Mailing list: https://launchpad.net/~cloud-init-dev
Post to : cloud-init-dev@lists.launchpad.net
Unsubscribe : https://launchpad.net/~cloud-init-dev
More help : https://help.launchpad.net/ListHelp
