-
Notifications
You must be signed in to change notification settings - Fork 412
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix(toolkit): attach lifetime to generated ssh keys. #5578
base: master
Are you sure you want to change the base?
Conversation
This pull request implements a feature or fix, so it must include a changelog entry. See CONTRIBUTING.md#changelog for instructions. |
Great idea. Would also be a good time to add a EC2-specific section here: aws-toolkit-vscode/docs/arch_features.md Line 14 in 791ae55
That way, we have a high-level description of the steps that happen. |
this.lifeTimeout = new Timeout(lifetime) | ||
|
||
this.lifeTimeout.onCompletion(async () => { | ||
await this.delete() |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nice approach. (encapsulating this in the existing class)
@@ -5,19 +5,32 @@ | |||
import * as fs from 'fs-extra' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If it's not much trouble, it would be helpful to remove this and use our fs.ts module instead. We want to eliminate 'fs-extra'
Problem
For connecting VSCode to EC2 instance, we generate an ssh key pair on disk. This results in writing the private ssh key to VSCode global storage, allowing the key to be potentially reused by other users on the same machine.
Solution
Attach a lifetime to any key pair generated such that they wipe from disk after X seconds. Value is currently set is 30 seconds to allow connection to reliably establish. Also, change file permissions to read/write owner only and change behavior to overwrite existing keys.
This is in-line with how ec2 instance connect works: https://github.com/aws/aws-ec2-instance-connect-cli/blob/master/ec2instanceconnectcli/EC2InstanceConnectKey.py
License: I confirm that my contribution is made under the terms of the Apache 2.0 license.