[cs615asa] Homework 2 Question

Justin Barish jbarish at stevens.edu
Tue Feb 12 18:58:58 EST 2019


Can we assume the default security group used will have a rule to allow ssh
from any host?
By default, the 'default' aws security groups do not have this rule,
preventing the instance from being ssh'ed into, so it would be up to the
user to have changed the default security group to allow this...
Or should our program create a new security group with that rule set (or
modify the default security group to set the rule)?

-Justin

On Tue, Feb 12, 2019 at 9:53 AM Jan Schaumann <jschauma at stevens.edu> wrote:

> Thomas L Pyle <tpyle at stevens.edu> wrote:
>
> > For homework 2, when we create the instance, how do we know what
> > keypair to use? Should we generate a new one?
>
> We don't want to generate a new keypair per the earlier promise that our
> tool will not make any changes to the user's setup or environment (a
> generally useful consideration, based on the Principle Of Least
> Astonishment).
>
> That would mean we'd have to assume that a default key has been
> configured correctly, but AWS configurations may differ in the use, and
> the user may in fact already have a default key that they may not wish
> to use for this purpose (separation of privileges is a Good Thing(tm)).
>
> So let's stipulate that our tool requires the presence of a dedicated
> SSH keypair.  That is, the user running the tool must have set up a
> keypair called 'ec2-backup' in AWS and must have set up their
> ~/.ssh/config to use that key.  That would look like this:
>
> $ ssh-keygen -t rsa -C "ec2-backup only" -f ~/.ssh/ec2-backup -b 4096
> [...]
> $ aws ec2 import-key-pair --key-name ec2-backup \
>         --public-key-material file://~/.ssh/ec2-backup.pub
> [...]
> $ aws ec2 describe-key-pairs --key-name ec2-backup
> KEYPAIRS        b6:6f:b5:90:0f:14:85:a6:82:d0:61:b8:78:3c:c8:b1 ec2-backup
> $ grep -A6 amazonaws ~/.ssh/config
> Host *amazonaws.com
>         User root
>         IdentityFile ~/.ssh/ec2
>         IdentityFile ~/.ssh/ec2-backup
>         IdentitiesOnly yes
>         UserKnownHostsFile /dev/null
>         StrictHostKeyChecking no
>
>
> At this point, everything is set up and your tool can use the
> 'ec2-backup' key name to create and access instances:
>
> $ aws ec2 run-instances --key-name ec2-backup --image-id ami-569ed93c \
>         --instance-type t1.micro
> [...]
> $ ssh ec2-3-84-173-113.compute-1.amazonaws.com hostname
> ip-10-159-231-196.ec2.internal
> $
>
> I have updated the manual page of the tool in the homework assignment to
> reflect the above assumptions you can safely make.  At a future
> iteration of the tool, we may add a way for the user to specify
> alternative keys or other options, but for this assignment, let's keep
> it simple by relying on the 'ec2-backup' key.
>
> -Jan
> _______________________________________________
> cs615asa mailing list
> cs615asa at lists.stevens.edu
> https://lists.stevens.edu/mailman/listinfo/cs615asa
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.stevens.edu/pipermail/cs615asa/attachments/20190212/a5915e78/attachment.html>


More information about the cs615asa mailing list