This package contains the EC2 instance configuration and scripts necessary to enable AWS EC2 Instance Connect. This is the ssh daemon configuration and necessary EC2 instance scripting to enable EC2 Instance Connect. Also included is various package manager configurations for packaging for various Linux distributions. Parse takes all necessary pieces as command inputs is can be unit tested independently. curl, however, obviously needs to curl EC2 Instance Metadata Service and so cannot be tested without mocking the actual service. The curl script verifies we are actually running on an EC2 instance and cURLs relevant information from EC2 Instance Metadata Service and send it to parse. Note that it must make several curl commands to proceed. If it cannot do so it fast-fails to prevent blocking the ssh daemon. The command also queries several OCSP staples from EC2 Instance Metadata Service.
Features
- In addition to the fields required to complete all the below process, a key fingerprint may be provided
- The staples are passed to and used by parse_authorized_keys to check certificate validity without the need for extra external calls
- The signature is specifically expected to be for the entire key blob
- Any time a key is provided to the ssh daemon it will be logged to the system authpriv log for auditing purposes
- The systemd module provided for host key harvesting is a basic one-shot to invoke eic_harvest_hostkeys
- As parse_authorized_keys requires a valid certificate, CA, and OCSP staples, unit testing is a somewhat involved process