Comments (3)
LordAlfredo
commented on July 22, 2024
Thank you for the request. I will bring this up with our product management, but I would not get my hopes up. There are two angles to consider why not: security and product goals.
I will avoid getting too deep into the system threat model, but as part of key verification at some point the active key list must be processed. By doing all of this within the scope of the ssh daemon's memory, there is practically nothing for malicious software to manipulate - it would have to crack the daemon process memory to add an undesired key, which would mean your system would have to already be totally compromised. On the other hand, a cache introduces a new potential attack surface.
As for product goals, the main focus of EC2 Instance Connect is
- Simplify the process of managing ssh key handling for instances for end customers
- Enable a ssh "pseudo-session" to the instance using IAM credentials
- Enable scoping of ssh keys to a singular session
I won't get into the full details of why a key is desired to be "single session" here, but there are a number of benefits from a security and auditing standpoint.
In an absolutely perfect world, we would not be doing the key timestamp piece that you've noted. Instead, a key would be trusted by the ssh daemon once and then never again (unless it was published through EIC a second time). The problem is, it turns out doing this is incredibly complex - if you check the instance's auth logs, you can even see that the ssh daemon pulls the set of available ssh keys multiple times. It's much more nuanced than just "trust this specific request ID once" and would either require a full-featured sibling daemon for sshd to hook into or would require deep changes to sshd itself. The 60 second expiration is an approximation for single-session scoping without needing to make these deeper, riskier changes to the ssh daemon (60 seconds in particular was chosen as sufficient time for all parts of the ssh handshake to complete in all testing).
from aws-ec2-instance-connect-config.
cpaelzer
commented on July 22, 2024
Thanks for the Answer @LordAlfredo - I can see the Threat Model POV here. Maybe it can be a long term goal implemented inside the ssh daemon itself (or plugin, or sibling daemon, or maybe even a pam module or something like it) which could grant the benefits of reduced overhead/latency while at the same time not adding the same additional attach surface that an on-disk cache of any kind would do.
from aws-ec2-instance-connect-config.
raharper
commented on July 22, 2024
What about making use of the kernel keyring to store the session data and timestamps needed to implement a cache?
from aws-ec2-instance-connect-config.
Related Issues (20)
- Issue with openssl v1.1.1 HOT 2
- Got "Permission denied (publickey)" after "Successfully pushed the public key" HOT 3
- Please provide better documentation, preferably manpages
- Makefiles requested HOT 2
- metadata gives SHA256 for OCSP, but ec2-instance-connect only verify by SHA 1 and cause ALL connections refused HOT 2
- eic_harvest_hostkeys fails in local zones HOT 8
- Permission denied (publickey) error despite public key sucessfully pushed to instance
- Secret key HOT 3
- No import users ala aws-ec2-ssh ? HOT 1
- Permission Denied after "Successfully pushed the public key" HOT 6
- Support EC2 Mac Instances
- using on host with no internet access HOT 1
- VPC endpoint support ? HOT 3
- Key trust verification fails on Ubuntu 22.04 HOT 6
- `eic_curl_authorized_keys` returns incorrect exit code in some cases
- 'make rpm' fails after the removal of host key harvesting HOT 2
- Publishing RPM packages for RedHat and CentOS? HOT 2
- Unable to connect to EC2 instance HOT 1
- RPM spec file should not build requires systemd
- Support creating users on login HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from aws-ec2-instance-connect-config.