[ubuntu-server] Trying Ubuntu Server in Amazon EC2

Tue Oct 12 15:26:46 UTC 2010

On Oct 11, 2010, at 9:20 PM, Neal McBurnett wrote:

> On Mon, Oct 11, 2010 at 10:50:21PM -0400, Scott Moser wrote:
>> On Mon, 11 Oct 2010, Eric Hammond wrote:
>> 
>>> On 10/11/2010 06:24 PM, Scott Moser wrote:
>>>> It is in the FAQ.
>>> 
>>> I'm probably sounding like a broken record to you, but as a general rule, I
>>> don't believe that people read documentation when it looks like they can
>>> accomplish what they want without it.  Best to not have surprises or confusing
>>> features if you can avoid it, and in this case, it sounds like you can.
>> 
>> Again, its configurable.  We wanted the experience to be as smooth as
>> possible.  You brought up yourself that you didn't think the experience
>> would be smooth for people without a launchpad account.  We wanted to give
>> a large number of people the ability to see Ubuntu server (on ec2) in
>> action.  That was the primary goal.  The changes to the default settings
>> were done in the most secure way we could think of and still achieve that
>> goal.
> 
> I agree pretty strongly with Eric here.  This just raises so many red
> flags that don't need to be raised, and puts Canonical in a bad light
> that will take a long time to undo.
> 
>>>> The primary reason for
>>>> launching with a key was so we could debug if necessary, and explicitly so
>>>> that if the user was locked out (ie, no access to their published
>>>> launchpad keys), then we could ssh in, set a onetime password and show
>>>> that to the user.
>>> 
>>> I believe it's better to err on the side of security than convenience here.
>>> This is how Amazon does it with EC2 in the larger scheme of things.  If you
>>> lock yourself out, they cannot help you get access to your box no matter how
>>> important it is to you (generally).  That's how important your security is to
>>> them and I'd love to see Canonical continue this level of trust.
>> 
>> I would never suggest this for the base images.  Canonical will never
>> insert back doors into Ubuntu EC2 images or *any* Ubuntu delivery.
> 
> How is this not a back door in an Ubuntu delivery?
> 

I'm not so sure we can call this an "Ubuntu delivery".

Canonical is paying for an instance for 55 minutes, and giving users
root on it. We're even trying to avoid accepting any private
information from the user on the instance by using SSH keys. Just
like Zipcar puts a GPS tracker on their short-term-use rental cars
and limits where you can go, so do we put some limitations as well.
Meanwhile you have every option to remove this backdoor, and abuse
Canonical's AWS account by sending copious amounts of spam, hosting
massive video files, or any number of other things. With the canonical
key, we can login and verify that what you're doing is legit, without
it, we're just going to terminate your instance.

But to call it a delivery is a stretch. There is no mechanism for
"turn this into a permanent instance", other than pulling the data
off yourself. So this server is going to die, no matter what.. and
as such, I doubt users will expect it to be 100% theirs. Putting
the list of differences from a normal EC2 instance in the documentation
that nobody reads is probably fine, as those who wanted to do
something more with it will probably end up reading said documentation.

All of that said, I actually think that the backdoor is kind of
pointless. With the options available in cloud-init, awstrial can
stick the random password in for the users that don't have keys.
The argument I made above is pretty thin, and I think I'd rather
see us just terminate aggressively than waste time verifying anything.
And as someone else stated.. with a 55 minute window, there's not
really much time to login and support the user.

I opened this bug suggesting that awstrial not install any keys not
specifically requested by the user:

https://bugs.launchpad.net/awstrial/+bug/659195