Re: Permitting login on AWS serial console
On Tue, Oct 05, 2021 at 06:55:19PM +0100, Phil Endecott wrote:
>
> What is the recommended way to permit login on the AWS serial
> console? I hesitate to try to work it out by trial and error,
> since a mistake could either leave me unable to log in at all
> or leave the instance insecure.
It looks like you need to configure access to the AWS serial console,
so can use Amazon's IAM policies to control which users have access to
the serial console, which is off by default:
Access to the serial console is not available by default. Your
organization must grant account access to the serial console and
configure IAM policies to grant your users access to the serial
console. Serial console access can be controlled at a granular
level by using instance IDs, resource tags, and other IAM levers.
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-serial-console.html
(FWIW this is true for Google Cloud as well).
So it's unlikely you will leave the instance insecure, unless there
are some pretty serious IAM policy mistakes (or AWS keys being checked
into public github repos, etc.), in which case you may have much
larger issues. :-)
If you are willing to rely solely on the cloud provider's serial
console access policies, you can eliminate the need to type the root
password via something like this:
sed -i -e '/ExecStart/s/agetty/agetty -a root/' \
-e '/ExecStart/s/-p/-p -f/' \
/lib/systemd/system/serial-getty@.service
Since this is independent of how you can login to the instance via
ssh, you can experiment with this without worrying too much about
screwing anything up. And of course, if you do this on a test
instances, if something does go wrong, there's nothing previous on it,
so you can just kill it and try again.
Cheers,
- Ted
Reply to: