[ec2-beta] some feedback on the i386 image

Eric Hammond ehammond at thinksome.com
Mon Jan 12 21:50:23 GMT 2009 

Kees:

Cool approach for copying a password.

Unfortunately on EC2 there is neither an initial password to copy, nor a
place to put one securely, nor a place to put the software to do the
copying (presuming users are running instances with the standard tools
out there).

Keep the ideas coming and feel free to challenge my assumptions.  I've
probably been at this too long to recognize the truly innovative solution.


Semi-related point: Though we use Ubuntu on our desktops, we should keep
in mind that a large percentage of users are running Ubuntu on EC2 from
their Windows and Mac desktops.

--
Eric Hammond
ehammond at thinksome.com



Kees Cook wrote:
> On Mon, Jan 12, 2009 at 05:03:36PM +0000, Mark Shuttleworth wrote:
>> Eric Hammond wrote:
>>> I really like being able to type "ec2intrepid" or "ec2hardy" (custom
>>> commands) and within a minute be ssh'd in to a brand new Ubuntu instance
>>> on EC2.  Going through extra prompts and having to re-connect gets old,
>>> especially if I have to jot down new passwords every time.
>>>   
>> It should be possible to have the password setup so that it's consistent
>> across your machines. One would not want to have to store the credential
>> itself, but it might be possible to store the passwd entry (salted,
>> crypted or hashed) and re-use that across machines.
> 
> Yeah, pushing the encrypted passwords around shouldn't be a problem.  I
> would recommend "chpasswd -e", which will read stdin for
> 
> user:password
> 
> (where "password" is the encrypted (-e) password)
> 
> For example, to clone the "bilbo" user's password from one machine to
> another (after the initial root login/setup):
> 
> TOCOPY=bilbo
> ssh -i /my/key.pem root at ec2-instance-master \
>     "grep ^$TOCOPY: /etc/shadow | cut -d: -f-2" | \
>     ssh -i /my/key.pem root at ec2-instance-secondary "chpasswd -e"
> 
>> Soren, any comments? Do we have any representatives of the Ubuntu
>> security team on this list?
> 
> We're all here, yup.  :)
> 
> -Kees
>

More information about the Ec2-beta mailing list