Hi Seth, Thanks for the new review.
On Fri, Feb 21, 2020 at 5:15 AM Seth Arnold <1835...@bugs.launchpad.net> wrote: > > This new version of ec2-instance-connect is significantly better, thanks > for all the work. > > I was wrong about the dedicated user: using the ec2-instance-connect > user is definitely an improvement. > > My one specific concern: > > - AWS_SECRET_ACCESS_KEY (and the ability to get one) appears to be > available to all processes on the system. What does possession of this > secret key mean? The hypervisor may not care, a guest is a guest is a > guest, but users may care deeply. Do they? This is a temporary key and it is indeed available to everyone being able to run curl on the system: https://www.reddit.com/r/aws/comments/85vkq6/question_about_accesskeyid_secretaccesskey_in/ The package does not change the availability of the key, so I believe this is not a concern regarding the package, but a general concern regarding EC2 instances. > And two generic concerns: > > - Shell error handling is difficult. This code looks much safer than > before but the language is not helpful here. > > - SSH access credentials are almost invisible: ps auxw | grep ssh will > show the flow, as will an inspection of > /lib/systemd/system/ssh.service.d/ec2-instance-connect.conf , but these > are fairly subtle. > > These last two issues are more business decisions than security purview. > Rewriting a tool isn't cheap and the work on this version was extensive. > And all this effort must surely be because users have wanted an out-of- > band authentication mechanism. Sufficiently advertising the new feature > would allay my concern that it's very subtle. Can I take this as an OK for the MIR, from the Security Team? Thanks, Balint > > Thanks > > -- > You received this bug notification because you are subscribed to the bug > report. > https://bugs.launchpad.net/bugs/1835114 > > Title: > [MIR] ec2-instance-connect > > Status in ec2-instance-connect package in Ubuntu: > Incomplete > > Bug description: > [Availability] > ec2-instance-connect is in the Ubuntu archive, and available for all > supported releases. It is available on all architectures despite only being > useful on Amazon EC2 instances. > > [Rationale] > This package is useful on Amazon EC2 instances to make use of a new feature: > Instance Connect; which allows storing SSH keys for access online in the > Amazon systems. These SSH keys are then retrieved to be used by the system's > SSH service, collated with pre-existing keys as deployed on the system. > > Installing the package enables the use of Instance Connect on an > instance. > > [Security] > This is a new package, and as such has no security history to speak of. > > [Quality Assurance] > The package consists in a few shell scripts that are difficult to test by > themselves due to the high reliance on Amazon's Instance Connect service; > which is online and limited to use on Amazon instances. > > Given that it's a new package, there are no long-term outstanding bugs in > Ubuntu or Debian. The package is only maintained in Ubuntu at the moment. > > This package deals with special "hardware"; it is only useful on Amazon > instances, and its support is required as a default deployment on such > instances when deployed with Ubuntu. > > [UI Standards] > Not applicable. This service is command-line only and has no configuration > options. > > [Dependencies] > There are no special dependencies to speak of. > > [Standards Compliance] > This package has been thoroughly reviewed by a few Canonical engineers, > there are no standards violations known. > > [Maintenance] > This package is to be owned by the Ubuntu Foundations team. > > [Background Information] > This is Amazon-specific, as previously mentioned. > > To manage notifications about this bug go to: > https://bugs.launchpad.net/ubuntu/+source/ec2-instance-connect/+bug/1835114/+subscriptions -- Balint Reczey Ubuntu & Debian Developer -- You received this bug notification because you are a member of cloud- init Commiters, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1835114 Title: [MIR] ec2-instance-connect Status in ec2-instance-connect package in Ubuntu: Incomplete Bug description: [Availability] ec2-instance-connect is in the Ubuntu archive, and available for all supported releases. It is available on all architectures despite only being useful on Amazon EC2 instances. [Rationale] This package is useful on Amazon EC2 instances to make use of a new feature: Instance Connect; which allows storing SSH keys for access online in the Amazon systems. These SSH keys are then retrieved to be used by the system's SSH service, collated with pre-existing keys as deployed on the system. Installing the package enables the use of Instance Connect on an instance. [Security] This is a new package, and as such has no security history to speak of. [Quality Assurance] The package consists in a few shell scripts that are difficult to test by themselves due to the high reliance on Amazon's Instance Connect service; which is online and limited to use on Amazon instances. Given that it's a new package, there are no long-term outstanding bugs in Ubuntu or Debian. The package is only maintained in Ubuntu at the moment. This package deals with special "hardware"; it is only useful on Amazon instances, and its support is required as a default deployment on such instances when deployed with Ubuntu. [UI Standards] Not applicable. This service is command-line only and has no configuration options. [Dependencies] There are no special dependencies to speak of. [Standards Compliance] This package has been thoroughly reviewed by a few Canonical engineers, there are no standards violations known. [Maintenance] This package is to be owned by the Ubuntu Foundations team. [Background Information] This is Amazon-specific, as previously mentioned. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ec2-instance-connect/+bug/1835114/+subscriptions _______________________________________________ Mailing list: https://launchpad.net/~cloud-init-dev Post to : cloud-init-dev@lists.launchpad.net Unsubscribe : https://launchpad.net/~cloud-init-dev More help : https://help.launchpad.net/ListHelp
