search

buildkite / elastic-ci-stack-for-aws

An auto-scaling cluster of build agents running in your own AWS VPC
https://buildkite.com/docs/quickstart/elastic-ci-stack-aws
MIT License
417 stars 275 forks source link

Revisiting Issue #544: Packer SSH Key Not Fully Removed #1311

Closed Gezi-lzq closed 6 months ago

Gezi-lzq commented 7 months ago

Describe the bug

The SSH key generated by Packer for provisioning is not being completely removed from the authorized_keys file. This issue was believed to have been addressed in Issue #544 but persists due to the key's presence in the root account's authorized_keys, not just the ec2-user. This incomplete removal contravenes the security policies intended for AMIs.

Steps To Reproduce

To observe the behavior indicative of this issue, one can follow these steps:

Use Packer to provision an AMI.

Access the provisioned instance. Navigate to the ~/.ssh/authorized_keys file for both ec2-user and root. Notice the Packer-generated SSH key remains in the root's authorized_keys.

Expected behavior

The expected behavior was that all Packer-generated SSH keys would be removed from all authorized_keys files (including both ec2-user and root accounts) upon the completion of the provisioning process, leaving no residual keys behind.

Actual behaviour

The actual behavior observed was that while the Packer-generated SSH key was removed from the ec2-user's authorized_keys file, it remained in the root's authorized_keys file, posing a potential security risk.

Solution Approach

To effectively address this issue, it is recommended to leverage the ssh_clear_authorized_keys feature, enabling Packer to automatically remove its temporary SSH key.

Reference: https://developer.hashicorp.com/packer/docs/communicators/ssh

ssh_clear_authorized_keys (bool) - If true, Packer will attempt to remove its temporary key from ~/.ssh/authorized_keys and /root/.ssh/authorized_keys. This is a mostly cosmetic option, since Packer will delete the temporary private key from the host system regardless of whether this is set to true (unless the user has set the -debug flag). Defaults to "false"; currently only works on guests with sed installed.

(As a newcomer to open source, I found the previous issue while searching for a Packer solution, realizing the fix might be incorrect. This prompted me to submit this issue for reassessment.)

Gezi-lzq commented 7 months ago

@lox

dabarrell commented 7 months ago

Thanks for raising this, @Gezi-lzq! Lox no longer works at Buildkite, but we're happy to take a look at this for you – I'll comment on your PR directly re the change

123sarahj123 commented 6 months ago

Hello :)

We have your fix over in this branch (made it easier on our end in this case to get it tested / merged)

https://github.com/buildkite/elastic-ci-stack-for-aws/pull/1316