The hex encoded version of the key is also passed to openssl:
$ echo abcdef0123456789 | /usr/bin/od -A n -t x1 | /bin/sed ':a;N;$!ba;s/[\n
]//g'
616263646566303132333435363738390a
$ aa-decode 616263646566303132333435363738390a
Decoded: abcdef0123456789
# Sign a message with a given key
# sign [key] [msg]
sign () {
/usr/bin/printf "${2}" | /usr/bin/openssl dgst -binary -hex -sha256 -mac
HMAC -macopt hexkey:"${1}" | /bin/sed 's/.* //'
}
(See the hexkey: parameter)
This appears to come via:
AWS_SECRET_ACCESS_KEY=$(/bin/echo "${creds}" | /bin/sed -n
's/.*"SecretAccessKey" : "\(.*\)",/\1/p')
which is from:
creds=$(/usr/bin/curl -s -f -m 1 -H "X-aws-ec2-metadata-token:
${IMDS_TOKEN}" "http://169.254.169.254/latest/meta-data/identity-
credentials/ec2/security-credentials/ec2-instance/")
and IMDS_TOKEN appears to come from:
IMDS_TOKEN="$(/usr/bin/curl -s -f -m 1 -X PUT
"http://169.254.169.254/latest/api/token"; -H "X-aws-ec2-metadata-token-
ttl-seconds: 5")"
Replacing the echo binary with a shell built-in wouldn't hide this key
well.
Can any process on the system simply request such a token itself from
the aws metadata service?
What does knowledge of this key represent?
Thanks
--
You received this bug notification because you are a member of cloud-
init Commiters, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1835114
Title:
[MIR] ec2-instance-connect
Status in ec2-instance-connect package in Ubuntu:
Incomplete
Bug description:
[Availability]
ec2-instance-connect is in the Ubuntu archive, and available for all
supported releases. It is available on all architectures despite only being
useful on Amazon EC2 instances.
[Rationale]
This package is useful on Amazon EC2 instances to make use of a new feature:
Instance Connect; which allows storing SSH keys for access online in the
Amazon systems. These SSH keys are then retrieved to be used by the system's
SSH service, collated with pre-existing keys as deployed on the system.
Installing the package enables the use of Instance Connect on an
instance.
[Security]
This is a new package, and as such has no security history to speak of.
[Quality Assurance]
The package consists in a few shell scripts that are difficult to test by
themselves due to the high reliance on Amazon's Instance Connect service;
which is online and limited to use on Amazon instances.
Given that it's a new package, there are no long-term outstanding bugs in
Ubuntu or Debian. The package is only maintained in Ubuntu at the moment.
This package deals with special "hardware"; it is only useful on Amazon
instances, and its support is required as a default deployment on such
instances when deployed with Ubuntu.
[UI Standards]
Not applicable. This service is command-line only and has no configuration
options.
[Dependencies]
There are no special dependencies to speak of.
[Standards Compliance]
This package has been thoroughly reviewed by a few Canonical engineers, there
are no standards violations known.
[Maintenance]
This package is to be owned by the Ubuntu Foundations team.
[Background Information]
This is Amazon-specific, as previously mentioned.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ec2-instance-connect/+bug/1835114/+subscriptions
_______________________________________________
Mailing list: https://launchpad.net/~cloud-init-dev
Post to : cloud-init-dev@lists.launchpad.net
Unsubscribe : https://launchpad.net/~cloud-init-dev
More help : https://help.launchpad.net/ListHelp
