[ec2-beta] document: EC2 Ubuntu sudo Guide

Jim Cheetham jim at inode.co.nz
Sun Mar 8 07:29:58 GMT 2009 

On Sun, Mar 8, 2009 at 3:50 PM, Mark V <mvyver at gmail.com> wrote:
> On Sun, Mar 8, 2009 at 9:39 AM, Jim Cheetham <jim at inode.co.nz> wrote:
>> On Sun, Mar 8, 2009 at 8:04 AM, Michael Greenly <mgreenly at gmail.com> wrote:
>>> Does anyone have really good justification for being forced into sudoing
>>> through the ubuntu user?  I can come up with a few fantasy scenearios
> My initial reaction to seeing the ubuntu user was the same - eew :)

Well, the use of a non-root 'admin' user is just part of the standard
Ubuntu setup. I don't think that this should ever change for an AMI
image of Ubuntu (provided by Ubuntu or Canonical, that is), unless it
has already changed as part of the base OS, that is. Given that the
AMIs are 'post-installation', the choice of the administrative user
has already been made, and it's 'ubuntu' rather than your own name ...

Perhaps I'm missing something in this conversation here; what are you
using the Ubuntu AMI images for? Do you want to run them directly, or
use them as the base for your own images? If you are going to
customise and make your own images, then if you find something you
don't like, change it :-)

> Reading Eric's notes and the comments below it seems that extra
> security is being added at the wrong level.

If there's something *specific* to EC2 about your suggestion, then
it's relevant. Obscuring the ssh port in this way doesn't seem to be
especially specific to EC2 -- it is of some value, but is essentially
only security by obscurity (not that there's anything wrong with that,
used as an extra layer -- just don't use it as the only layer of
defence!). All SPA does in terms of information theory is increase the
amount of secret data that must be known/presented before getting that
all-important shell prompt.

> Hopefully fwknop support can be built in by default - ideally it'd
> become the AWS's recommended (Linux) practice :)
> Of course people (Canonical?) may not want admin's to have to run some
> SPA/fwknop client script before ssh'ing, in which case perhaps a
> Ubuntu server config option could be 'fwknop protected ssh login'?

fwknop doesn't seem to be packaged for either Debian or Ubuntu yet, so
that's the first step. No point considering it for official AMIs if it
isn't even packaged for the OS yet :-)

-jim

More information about the Ec2-beta mailing list