[Bug 1904741] Re: Verify that domain returned from IMDS is an AWS domain

Tue Nov 24 16:06:49 UTC 2020

Verified on Bionic with 1.1.12+dfsg1-0ubuntu3~18.04.1:

ubuntu at ip-172-31-40-227:~$ dpkg -l ec2-instance-connect | cat
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name                 Version                       Architecture Description
+++-====================-=============================-============-=============================================================
ii  ec2-instance-connect 1.1.12+dfsg1-0ubuntu3~18.04.1 all          Configures ssh daemon to accept EC2 Instance Connect ssh keys
ubuntu at ip-172-31-40-227:~$ bash -x /usr/share/ec2-instance-connect/eic_curl_authorized_keys ubuntu
+ set -e
+ umask 077
+ IMDS=http://169.254.169.254/latest/meta-data
...
++ /usr/bin/curl -s -f -m 1 -H 'X-aws-ec2-metadata-token: XXX==' http://169.254.169.254/latest/meta-data/services/domain/
+ domain=amazonaws.com
+ domain_exit=0
+ '[' 0 -ne 0 ']'
+ is_domain_valid=1
+ for valid_domain in amazonaws.com amazonaws.com.cn c2s.ic.gov sc2s.sgov.gov
+ '[' amazonaws.com = amazonaws.com ']'
+ is_domain_valid=0
+ break
+ '[' 0 -eq 1 ']'

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to ec2-instance-connect in Ubuntu.
https://bugs.launchpad.net/bugs/1904741

Title:
  Verify that domain returned from IMDS is an AWS domain

Status in ec2-instance-connect package in Ubuntu:
  Fix Released
Status in ec2-instance-connect source package in Xenial:
  Fix Committed
Status in ec2-instance-connect source package in Bionic:
  Fix Committed
Status in ec2-instance-connect source package in Focal:
  Fix Committed
Status in ec2-instance-connect source package in Groovy:
  Fix Committed

Bug description:
  [Impact]

  The domain returned from IMDS is not verified if it was and AWS
  domain.

  [Test Cases]

  0) Deploy an Amazon AWS instance with Instance Connect feature enabled
  1) Connect to the instance using Instance Connect, for example by pressing the "Connect" button on the web UI.
  2. Within a few ten seconds of connecting run (assuming using the ubuntu username):

   bash -x /usr/share/ec2-instance-connect/eic_curl_authorized_keys
  ubuntu

  3) The debug output should show successful validation:
  ...
  ++ /usr/bin/curl -s -f -m 1 -H 'X-aws-ec2-metadata-token: ...XXX...==' http://169.254.169.254/latest/meta-data/services/domain/
  + domain=amazonaws.com
  + domain_exit=0
  + '[' 0 -ne 0 ']'
  + is_domain_valid=1
  + for valid_domain in amazonaws.com amazonaws.com.cn c2s.ic.gov sc2s.sgov.gov
  + '[' amazonaws.com = amazonaws.com ']'
  + is_domain_valid=0
  + break
  + '[' 0 -eq 1 ']'
  ++ /usr/bin/printf managed-ssh-signer.%s.%s us-east-2 amazonaws.com
  ...

  [Regression Potential]

  The validation code can fail preventing connection to the VM. Considering that this is a very small amount of code an looks OK this is unlikely.
  The validation could also falsely pass, but that would not be a regression since the validation was not there before.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ec2-instance-connect/+bug/1904741/+subscriptions