Re: Experiences with AWS's EC2 Instance Connect and Debian?

To: paul <paul@zot.org>, "debian-cloud@lists.debian.org" <debian-cloud@lists.debian.org>
Subject: Re: Experiences with AWS's EC2 Instance Connect and Debian?
From: Jose Miguel Parrella <joseparrella@gmail.com>
Date: Tue, 13 Aug 2019 01:45:31 +0000
Message-id: <[🔎] MWHPR11MB1261E02B187854BAF7447919B6D20@MWHPR11MB1261.namprd11.prod.outlook.com>
In-reply-to: <8363f64e-daeb-3ac9-c642-fa171df84525@zot.org>
References: <8363f64e-daeb-3ac9-c642-fa171df84525@zot.org>

It's a mixed bag, from what I've seen.

Google, AWS and Azure all have different ways of doing this: SSH external commands [1], standalone daemons [2], PAM/NSS modules [3][4], in addition to bring and use your own domain server [5].

Identity can range from baked in to provisioned just-in-time with all sorts of custom logic, relying on cloud-init, etc.

Like everything else, there's a group of people that will reimage instead of SSH in, another group that will use an SSH CA for auditing, another that needs consistent uid/gid for file shares... and anything in between.

[1] https://github.com/aws/aws-ec2-instance-connect-config
[2] https://github.com/GoogleCloudPlatform/compute-image-packages/tree/master/packages/python-google-compute-engine/google_compute_engine/accounts
[3] https://packages.microsoft.com/ubuntu/18.10/prod/pool/main/a/aadlogin/
[4] https://github.com/GoogleCloudPlatform/compute-image-packages/tree/master/packages/google-compute-engine-oslogin
[5] https://docs.microsoft.com/en-us/azure/active-directory-domain-services/join-rhel-linux-vm

________________________________________
From: paul <paul@zot.org>
Sent: Sunday, July 21, 2019 7:36 PM
To: debian-cloud@lists.debian.org
Subject: Experiences with AWS's EC2 Instance Connect and Debian?

Hi all,

I'm looking for a better way to manage SSH users and saw EC2 Instance
Connect which is apparently the way the world is going, but it only
officially supports Amazon Linux and Ubuntu. My current method for
distributing users is baking them into the SOE and (piecemeal) updating
later with Ansible. It's a little mucky.

https://eur04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.aws.amazon.com%2FAWSEC2%2Flatest%2FUserGuide%2Fec2-instance-connect-set-up.html&amp;data=02%7C01%7C%7Cb08fbb854dab49f2eed908d70e4d7801%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636993598192558316&amp;sdata=BlxhEjKjqUNlTXCbhRocl4uq4bCjEXr91GRMnfcIDj8%3D&amp;reserved=0

Are any listizens currently using EC2 Instance Connect with Debian? I'm
curious to know your thoughts. It looks a little needlessly complex but
it would mean managing users in IAM only instead of IAM + Ansible for me.

Cheers,

Paul Morahan

Reply to:

Prev by Date: Re: Debian Cloud Sprint Fall 2019
Next by Date: Bug#931173: Configuring static networking via NoCloud with Network Config Version 2 does not work
Previous by thread: Re: Experiences with AWS's EC2 Instance Connect and Debian?
Next by thread: Processed: closing 934274
Index(es):
- Date
- Thread