[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: EC2 images

On 4 July 2013 16:59, Tormod Ryeng <tormod@tormod.no> wrote:
> On 07/04/2013 04:44 PM, Anders Ingemann wrote:
>> On 4 July 2013 16:37, Tormod Ryeng <tormod@tormod.no> wrote:
>>> The AWS EC2 AMIs on
>>> https://aws.amazon.com/marketplace/seller-profile/ref=srh_res_product_vendor?ie=UTF8&id=890be55d-32d8-4bc8-9042-2b4fd83064d5
>>> (linked to from http://wiki.debian.org/Cloud/AmazonEC2Image) give the
>>> same
>>> ECDSA key fingerprint for every instance when SSHing to the instances.
>>> The
>>> host keys should be generated during the first boot-up of the instance,
>>> but
>>> seem to be static.
>>> I would assume that anyone using e.g. ami-ddbeafa9 gets the fingerprint
>>> f9:c4:2a:ee:20:5e:66:c2:fc:76:12:63:53:13:9e:dc.
>>> We've only tested the eu-west 64-bit AMI and some of the RightScale
>>> images
>>> listed on the wiki, and they've all had the same problem.
>>> I don't know whether this is a bug in the tools used to create the images
>>> or
>>> not.
>> Whoa, that is weird, to say the least.
>> I remove the keys when creating the ami
>> (https://github.com/andsens/build-debian-cloud/blob/master/tasks/60-cleanup)
>> and create new ones at first boot
>> (https://github.com/andsens/build-debian-cloud/blob/master/init.d/generate-ssh-hostkeys).
>> Do we have an entropy problem?!?!
> Ah, that's probably the bug, right there. I guess you'll need to remove and
> generate /etc/ssh/ssh_host_ecdsa_key as well?
> admin@ip-10-227-121-70:/etc/ssh$ ssh-keygen -lf /etc/ssh/ssh_host_ecdsa_key
> 256 f9:c4:2a:ee:20:5e:66:c2:fc:76:12:63:53:13:9e:dc
> root@domU-12-31-39-0A-91-E9 (ECDSA)
> --
> Regards,
> Tormod Ryeng

I created a pull request to my own repo:
The reason for that is that it's 00:21 in denmark. Also I'm currently
a bit drunk from an event at work and I am sure that the ballmer peak
feels different :-)
I would welcome anybodies effort to verify that it works (and also if
the bug is fixed). If so, I'll merge in the morning.

*added jimmy to list of recipients.
Jimmy and James: I would say this requires us to retract any existing
wheezy images out there and issue a statement about a potential
security risk when using Elliptic Curve cryptography to verify an SSH
host, i.e. hosts can be spoofed.

To fix it on existing machines, one can run:
rm /etc/ssh/ssh_host_ecdsa_key
ssh-keygen -f /etc/ssh/ssh_host_ecdsa_key -t ecdsa -C 'host' -N ''

@debian-security: What is procedure here? Should this thread be hidden
from the public mailing list for a while or do we just keep this
information accessible?

Reply to: