security issue with AMI?
Reported by Brian Pratt | April 28th, 2009 @ 12:47 PM | in high priority
I note that ./root/.ssh/authorized_keys, in addition to my own key, contains this:
ssh-rsa snip...3qyG8x bbc-keypair
which, I think, means root access for this key's owner on any running VipDAC instance.
Comments and changes to this ticket
-
jgeiger April 28th, 2009 @ 01:21 PM
- State changed from “new” to “resolved”
- Milestone set to “high priority”
That public key is owned by me, and should have been removed on build. I've updated the build script in the source code to remove the key on cleanup.
While it technically does allow me access to your running instance, I would have to know the ip/dns name provided by amazon when it was launched, which is near impossible unless you provide that information to me.
Thank you for the report.
-
Brian Pratt April 28th, 2009 @ 01:49 PM
Yeah, a pretty minimal risk - I just thought you'd want to know before some end user freaks out about a finding a backdoor on their system. Perceptions around security issues are something we need to be pretty tweaky about when building public AMIs if we want folks to embrace the cloud.
Please Sign in or create a free account to add a new ticket.
With your very own profile, you can contribute to projects, track your activity, watch tickets, receive and update tickets through your email and much more.
Create new ticket
Create your profile
Help contribute to this project by taking a few moments to create your personal profile. Create your profile ยป
Virtual Proteomics Data Analysis Cluster
Brian Pratt
jgeiger