Re: EC2 images

To: Tormod Ryeng <tormod@tormod.no>
Cc: debian-cloud <debian-cloud@lists.debian.org>, madsh@dsafe.no, security@debian.org, Charles Plessy <plessy@debian.org>, kula@debian.org, jeb@debian.org, Jimmy Kaplowitz <jimmy@debian.org>
Subject: Re: EC2 images
From: Anders Ingemann <anders@ingemann.de>
Date: Fri, 5 Jul 2013 00:22:59 +0200
Message-id: <[🔎] CAMcOGXH8ARqgrbpkDCFxodSNi5fCkchxtU4hJ1CrdVOhjnSV5w@mail.gmail.com>
In-reply-to: <[🔎] 51D58DEE.30802@tormod.no>
References: <51D55836.70600@tormod.no> <1372944338.2644.9.camel@chianamo> <[🔎] 51D588A6.5010201@tormod.no> <[🔎] CAMcOGXHV7tZ0XRVB2Cz19cMo66fhbrGH1Yw-jjUU9AMrNSjf5w@mail.gmail.com> <[🔎] 51D58DEE.30802@tormod.no>

On 4 July 2013 16:59, Tormod Ryeng <tormod@tormod.no> wrote:
> On 07/04/2013 04:44 PM, Anders Ingemann wrote:
>>
>> On 4 July 2013 16:37, Tormod Ryeng <tormod@tormod.no> wrote:
>>>
>>> The AWS EC2 AMIs on
>>>
>>> https://aws.amazon.com/marketplace/seller-profile/ref=srh_res_product_vendor?ie=UTF8&id=890be55d-32d8-4bc8-9042-2b4fd83064d5
>>> (linked to from http://wiki.debian.org/Cloud/AmazonEC2Image) give the
>>> same
>>> ECDSA key fingerprint for every instance when SSHing to the instances.
>>> The
>>> host keys should be generated during the first boot-up of the instance,
>>> but
>>> seem to be static.
>>>
>>> I would assume that anyone using e.g. ami-ddbeafa9 gets the fingerprint
>>> f9:c4:2a:ee:20:5e:66:c2:fc:76:12:63:53:13:9e:dc.
>>>
>>> We've only tested the eu-west 64-bit AMI and some of the RightScale
>>> images
>>> listed on the wiki, and they've all had the same problem.
>>>
>>> I don't know whether this is a bug in the tools used to create the images
>>> or
>>> not.
>
>
>> Whoa, that is weird, to say the least.
>> I remove the keys when creating the ami
>>
>> (https://github.com/andsens/build-debian-cloud/blob/master/tasks/60-cleanup)
>> and create new ones at first boot
>>
>> (https://github.com/andsens/build-debian-cloud/blob/master/init.d/generate-ssh-hostkeys).
>> Do we have an entropy problem?!?!
>
>
> Ah, that's probably the bug, right there. I guess you'll need to remove and
> generate /etc/ssh/ssh_host_ecdsa_key as well?
>
> admin@ip-10-227-121-70:/etc/ssh$ ssh-keygen -lf /etc/ssh/ssh_host_ecdsa_key
> 256 f9:c4:2a:ee:20:5e:66:c2:fc:76:12:63:53:13:9e:dc
> root@domU-12-31-39-0A-91-E9 (ECDSA)
>
> --
> Regards,
> Tormod Ryeng

I created a pull request to my own repo:
https://github.com/andsens/build-debian-cloud/pull/79
The reason for that is that it's 00:21 in denmark. Also I'm currently
a bit drunk from an event at work and I am sure that the ballmer peak
feels different :-)
I would welcome anybodies effort to verify that it works (and also if
the bug is fixed). If so, I'll merge in the morning.

*added jimmy to list of recipients.
Jimmy and James: I would say this requires us to retract any existing
wheezy images out there and issue a statement about a potential
security risk when using Elliptic Curve cryptography to verify an SSH
host, i.e. hosts can be spoofed.

To fix it on existing machines, one can run:
rm /etc/ssh/ssh_host_ecdsa_key
ssh-keygen -f /etc/ssh/ssh_host_ecdsa_key -t ecdsa -C 'host' -N ''

@debian-security: What is procedure here? Should this thread be hidden
from the public mailing list for a while or do we just keep this
information accessible?

Reply to:

Follow-Ups:
- Re: EC2 images
  - From: Jimmy Kaplowitz <jimmy@debian.org>
- Re: EC2 images
  - From: James Bromberger <james@rcpt.to>

References:
- Re: EC2 images
  - From: Tormod Ryeng <tormod@tormod.no>
- Re: EC2 images
  - From: Anders Ingemann <anders@ingemann.de>
- Re: EC2 images
  - From: Tormod Ryeng <tormod@tormod.no>

Prev by Date: Re: EC2 images
Next by Date: Re: EC2 images
Previous by thread: Re: EC2 images
Next by thread: Re: EC2 images
Index(es):
- Date
- Thread