[Bug 1029355] Re: euca-add-keypair could overwrite key files if the key is already added

[Scott Moser]

Hi, I've moved this from cloud-utils to euca2ools, since that is where
euca-add-keypair comes from.

The thing that makes this really un-fixable is
 * once the shell opens (via '>'), the local copy of the private key is already lost, which means
 * in order euca2ools to write it to stdout, it would have to know the private key, that would mean the *server* would have to know the private key.  In general, thats a bad idea.  While its possible that EC2 or Eucalyptus keep a copy of your private key, you do not really want them to.

The best solution to your problem then, is either:
a.) use euca-import-keypair, which allows you to import existing keypairs rather than dynamically creating a new one, *and* means the server never sees your private key at all.
b.) use a wrapper script around euca-add-keypair
  You should do this anyway, at very least your pasted command *should* look more like:
 umask 066 && euca-add-keypair $USERNAME > "$USERNAME.key"
or perhaps:
 euca-describe-keypairs "$USERNAME" || (umask 066 && euca-add-keypair "$USERNAME" > "$USERNAME.key" )

The umask is important to avoid a small period of time where permissions
are likely 644.

** Package changed: cloud-utils (Ubuntu) => euca2ools (Ubuntu)

** Changed in: euca2ools (Ubuntu)
   Importance: Undecided => Wishlist

** Changed in: euca2ools (Ubuntu)
       Status: New => Incomplete

** Changed in: euca2ools (Ubuntu)
       Status: Incomplete => Won't Fix

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to euca2ools in Ubuntu.
https://bugs.launchpad.net/bugs/1029355

Title:
  euca-add-keypair could overwrite key files if the key is already added

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/euca2ools/+bug/1029355/+subscriptions