Open gwright99 opened 2 days ago
There are two methods we get OpenSSH onto the Tower host VM:
The init script does not install openssh, so this means we are leveraging the active package that comes natively with the AMI.
Rely on native upstream patching by Amazon.
This relies on AWS releasing a new AMI and client sites running terraform apply
again to pull a new AMI data source. Clients running with a container DB will lose their DB as part of the AMI upgrade process.
Restrict SSH ingress CIDRs. This feature is already exposed by the solution. The default value is quite loose, but can be easily restricted to a tighter set of CIDRs. Furthermore, clients using an Instance Connect Endpoint implementation have additional defenses provided by AWS IAM permissions.
Patch existing OpenSSH on server.
This could be done by modifying the supplied AWS Launch Template or (potentially) running a command on the existing VM.
The Launch Template solution will require the recreation of the VM, putting container DB implementations at risk.
The in-place command (? sudo update openssh-server
?) could be a good short-term fix but I do not yet know the command necessary / if we have access to a patched version.
How to check the version of the OpenSSH server running:
ssh
onto target VM.ssh -V
Example:
$ ssh -V
OpenSSH_8.7p1, OpenSSL 3.0.8 7 Feb 2023
For new deployments, we will get updates since you are not pinning a specific version: https://github.com/seqeralabs/cx-field-tools-installer/blob/49646cf5b020a0d4a9816cb2238da8858cf0fd7a/006_ec2.tf#L11C13-L11C28 When it is already deployed, option 3 should be used. Amazon recommends how to do that: https://docs.aws.amazon.com/linux/al2023/ug/updating.html. It can also be managed from the SSM side.
For new deployments, we will get updates since you are not pinning a specific version: https://github.com/seqeralabs/cx-field-tools-installer/blob/49646cf5b020a0d4a9816cb2238da8858cf0fd7a/006_ec2.tf#L11C13-L11C28 When it is already deployed, option 3 should be used. Amazon recommends how to do that: https://docs.aws.amazon.com/linux/al2023/ug/updating.html. It can also be managed from the SSM side.
Thanks for the comment @arnaualcazar, but it doesn't quite work that way. You are right that I will go out and find the latest AMI every time, but I give the users a control flag to indicate whether they want to apply the new AMI or not: https://github.com/seqeralabs/cx-field-tools-installer/blob/49646cf5b020a0d4a9816cb2238da8858cf0fd7a/006_ec2.tf#L50
This has been done for two reasons:
I suspect that a majority of folks will choose to let the AMI update automatically, but can't assume it's a given. I'll have a look at the patch-in-place option link you shared (ty!) to familiarize myself with the process.
This solution relies upon OpenSSH to run
ssh
andscp
commands to push locally-generated files to the Tower VM. The recent revelation by Qualsys re: an OpenSSH vulnerability requires a review of this dependency to ensure client sites are not negatively impacted.