ec2-connect instead of shell command

Question

ec2-connect instead of shell command

lanwen opened this issue 5 years ago · 2 comments

AWS developed ec2-connect feature to deliver pubkeys to a target instance and that could replace complicated script
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-connect-methods.html

in this part https://github.com/elpy1/ssh-over-ssm/blob/master/ssh-ssm.sh#L38-L47

with

aws ec2-instance-connect send-ssh-public-key \
  --instance-id "${iid}" \
  --availability-zone "$(aws ec2 describe-instances --instance-ids ${iid} --query 'Reservations[0].Instances[0].Placement.AvailabilityZone' --output=text)" \
  --instance-os-user "${ssh_user}" \
  --ssh-public-key "${ssh_pubkey}"

which is more controllable and reliable

as a drawback - requires ec2-instance-connect on the host installed.

Would you consider this improvement?

Answer 1 · 2020-03-07T02:41:43.000Z

I don't think so (for now..):

only supported on ubuntu and amazon linux
does not support Ed25519 ssh keys
does not verify and/or return error if username is incorrect or does not exist on target instance

Also, the script is not very complicated. It does the following:

verify user: getent passwd {user} and attempt to cd into their home dir OR exit
check if ssh pubkey already authorised: grep {ssh_pubkey} {authkeys} AND exit
append ssh pubkey to authorized_keys: printf {pubkey} | tee -a {authkeys} AND
do nothing for 15 seconds: sleep 15
replace {pubkey} with '' in authorized_keys file: sed -i s,{pubkey},, {authkeys}

Let me know if I'm missing anything.

Answer 2 · 2020-03-07T11:20:31.000Z

Thanks for the quick answer and great explanation!

Then would close this issue (for now...:D)