Comments (8)
Thank you for bringing this to our attention. What's happening is the eic_harvest_hostkeys script is bound to a systemd unit set to run before sshd (basically as soon as hostkey generation/configuration is finished) and, as part of the script, make a call to ec2-instance-connect.[region].amazonaws.com. Of course, if the security group is blocking all outbound traffic then it wouldn't be able to reach that (even if it is an Amazon endpoint), fail, and delay systemd starting sshd.
There's already some safety checks to fast-fail if we detect we're not running on an EC2 instance. The fix here will be to add an additional check to this flow for if the service is reachable. The side effect is that the service will not know your instance's host key, as a result the first time you connect with the EC2 Console's Connect dialog there will be a small additional delay.
from aws-ec2-instance-connect-config.
thanks for the quick reply.
By "EC2 Console's Connect" you are referring to the java ssh client ?
and any way, I cant think of a reason why not to fire the sshd right away (before eic_harvest_hostkeys), and if the eic_harvest_hostkeys completed successfully restart the sshd. because as far as i know, restarting sshd will not kill any active connections since each one become child ssh server and can live without the master server.
from aws-ec2-instance-connect-config.
Close - with the release of EC2 Instance Connect the EC2 Console now has the option to use EIC to open a JavaScript native in-browser terminal instead of the Java client.
The reason we had set this to run before sshd was to ensure hostkey harvest was complete before anyone might attempt to use this feature in the EC2 Console.
After further discussion we've decided a better option is to add/tighten timeouts around the call to the service itself - there are other ramifications to adding an ICMP-ping-based fast-fail.
from aws-ec2-instance-connect-config.
I am having issues with this as well when using a private intranet. Is there any endpoint that can be configured to access this? Also, are there any endpoints? I can't find them.
from aws-ec2-instance-connect-config.
I am having issues with this as well when using a private intranet. Is there any endpoint that can be configured to access this? Also, are there any endpoints? I can't find them.
Endpoint varies based on the region of the instance, e.g. in US West (Oregon), the endpoint would be https://ec2-instance-connect.us-west-2.amazonaws.com/
. eic_harvest_hostkeys
provided a way to get this endpoint programmatically, you can take that as a reference. Anyway, I believe you have to configure your private intranet in order to reach this endpoint.
We are currently working on a fix for such scenario to address the delay issue as mentioned above.
from aws-ec2-instance-connect-config.
I meant a private vpc endpoint that could be setup for this. The endpoint "ec2-instance-connect" or anything like it does not seem to exist as an internal endpoint (at least not in eu-west-1).
from aws-ec2-instance-connect-config.
@fernando-villalba Thanks for correcting me! I was think about domain whitelisting for VPC egress gateway.
We does not support PrivateLink endpoints at this time. I will put a feature request for supporting this in our backlog.
from aws-ec2-instance-connect-config.
This issue has been addressed a while ago, with the timeout added here: https://github.com/aws/aws-ec2-instance-connect-config/blob/master/src/bin/eic_harvest_hostkeys#L164-L166
I believe this was kept open to "track" PrivateLink endpoints. Re-opened #18 for further discussion around PrivateLink, as that issue is directly relevant.
from aws-ec2-instance-connect-config.
Related Issues (20)
- Got "Permission denied (publickey)" after "Successfully pushed the public key" HOT 3
- Please provide better documentation, preferably manpages
- Makefiles requested HOT 2
- metadata gives SHA256 for OCSP, but ec2-instance-connect only verify by SHA 1 and cause ALL connections refused HOT 2
- eic_harvest_hostkeys fails in local zones HOT 8
- Permission denied (publickey) error despite public key sucessfully pushed to instance
- Secret key HOT 3
- No import users ala aws-ec2-ssh ? HOT 1
- Permission Denied after "Successfully pushed the public key" HOT 6
- Support EC2 Mac Instances
- using on host with no internet access HOT 1
- VPC endpoint support ? HOT 3
- Key trust verification fails on Ubuntu 22.04 HOT 6
- `eic_curl_authorized_keys` returns incorrect exit code in some cases
- 'make rpm' fails after the removal of host key harvesting HOT 2
- Publishing RPM packages for RedHat and CentOS? HOT 2
- Unable to connect to EC2 instance HOT 1
- RPM spec file should not build requires systemd
- Support creating users on login HOT 1
- Packaging for Debian
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from aws-ec2-instance-connect-config.