[ec2-beta] document: EC2 Ubuntu sudo Guide

[Mark V]

On Sun, Mar 8, 2009 at 6:29 PM, Jim Cheetham <jim at inode.co.nz> wrote:
> On Sun, Mar 8, 2009 at 3:50 PM, Mark V <mvyver at gmail.com> wrote:
>> On Sun, Mar 8, 2009 at 9:39 AM, Jim Cheetham <jim at inode.co.nz> wrote:
>>> On Sun, Mar 8, 2009 at 8:04 AM, Michael Greenly <mgreenly at gmail.com> wrote:
>>>> Does anyone have really good justification for being forced into sudoing
>>>> through the ubuntu user?  I can come up with a few fantasy scenearios
>> My initial reaction to seeing the ubuntu user was the same - eew :)
>
> Well, the use of a non-root 'admin' user is just part of the standard
> Ubuntu setup. I don't think that this should ever change for an AMI
> image of Ubuntu (provided by Ubuntu or Canonical, that is), unless it
> has already changed as part of the base OS, that is. Given that the
> AMIs are 'post-installation', the choice of the administrative user
> has already been made, and it's 'ubuntu' rather than your own name ...
>

That is fine.  Ubuntu is Ubuntu/Debian.  It does seem ironic though
that one swaps 'ubuntu' for 'root' as well known user name.  But this
seems purely to fit with Ubuntu's choices - which is understandable.
It does raise the question: Is the EC2 cloud environment sufficiently
different to _contemplate_ re-examining some of these earlier choices?
It appears the view here is there is nothing to debate, so is this
being debated anywhere else in the Ubuntu community?

I should have been clearer in my 'eew' comment:  I didn't feel
comfortable seeing the 'ubuntu' password printed on my terminal.
Yes I can work around this.

I'm evaluating Ubuntu AMI's as the base for my images, and I want to
understand both how and why it is different from any other.

> Perhaps I'm missing something in this conversation here; what are you
> using the Ubuntu AMI images for? Do you want to run them directly, or
> use them as the base for your own images? If you are going to
> customise and make your own images, then if you find something you
> don't like, change it :-)
>

Both actually so I'm looking for the distro with the smallest change
set to allow me to do both.

>> Reading Eric's notes and the comments below it seems that extra
>> security is being added at the wrong level.
>
> If there's something *specific* to EC2 about your suggestion, then
> it's relevant.

I thought my suggestion (snipped) was very EC2 specific....

> Obscuring the ssh port in this way doesn't seem to be
> especially specific to EC2 -- it is of some value, but is essentially

OK, I assumed to much.
I think 'obscuring the ssh port' would be changing it from 22 to some
other number.
fwknop does not rely only on this, though you can change the port
fwknop opens.  It seems to me that fwknop does much, much more.

You can't, or it is not easy to, use fwknop's GPG encryption of the
authentication packet within EC2.  Michael showed in the proof of
concept how to do this in the EC2 environment.
As the blog post *title* indicates it is *specific* to EC2.
I think the Q of how EC2 specific things become depends on the
'integration points' mentioned.

> only security by obscurity (not that there's anything wrong with that,
> used as an extra layer -- just don't use it as the only layer of
> defence!).

I don't think I suggested that.  In fact I suggested fwknop as a
solution to the observation that ssh attacks were the point of
concern.  I agree there is some security through obscurity.  But I do
wonder if
ssh -i key ubuntu@<ec2>

is more secure than

ssh -i key root@<ec2>

> All SPA does in terms of information theory is increase the
> amount of secret data that must be known/presented before getting that
> all-important shell prompt.
>
>> Hopefully fwknop support can be built in by default - ideally it'd
>> become the AWS's recommended (Linux) practice :)
>> Of course people (Canonical?) may not want admin's to have to run some
>> SPA/fwknop client script before ssh'ing, in which case perhaps a
>> Ubuntu server config option could be 'fwknop protected ssh login'?
>
> fwknop doesn't seem to be packaged for either Debian or Ubuntu yet, so
> that's the first step. No point considering it for official AMIs if it
> isn't even packaged for the OS yet :-)
>

As I said I don't yet regularly use Ubuntu/Debian. Nonetheless it
seems this lack of support may be changing.
This bog post was linked to at the bottom of the page I pointed to"
"fwknop Uploaded to Debian Sid".
Perhaps a Ubuntu guru can indicate what that means for Ubuntu?

Anyway, time to move on.

HTH

Mark

> -jim
>