fix(ec2): avoid wiping authorized_keys files on each connection
#6197
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Hweinstock
changed the title
authorized_keys files on each connection. authorized_keys files on each connection (WIP)
Hweinstock
changed the title
authorized_keys files on each connection (WIP)authorized_keys files on each connection
justinmk3
reviewed
Dec 10, 2024
justinmk3
reviewed
Dec 10, 2024
justinmk3
reviewed
Dec 10, 2024
justinmk3
reviewed
Dec 10, 2024
justinmk3
reviewed
Dec 10, 2024
| * @returns bash command to remove lines from file. | ||
| */ | ||
| export function getRemoveLinesCommand(pattern: string, hostOS: Ec2OS, filepath: string): string { | ||
| // Linux allows not passing extension to -i, whereas macOS requires zero length extension. |
Contributor
There was a problem hiding this comment.
Also any BSD flavor. Does the '' work on Linux so we can just always do sed -i ''? According to Claude, it should...
Contributor
Author
There was a problem hiding this comment.
I saw it in the docs, and double checked I wasn't able to get it to work on Amazon Linux.
Its annoying :(
I also thought about not using the -i option and instead piping it to another temporary file, then overwrite authorized_keys with the temporary file so that we could use same command on all OS, but I thought the tradeoff of taking 3-4 steps instead of 1 didn't feel worth it.
Contributor
There was a problem hiding this comment.
Yeah, another option is to actually pass something like -i '.bk' on all platforms. That assumes one can write to the ~/.ssh/ directory, which is probably a fine assumption.
Contributor
Author
There was a problem hiding this comment.
Yeah, I wasn't sure if there would be any problems leaving backup files around. My thinking was to leave as little state/artifacts as possible on the remote machine, but having different commands for different OS is annoying.
Co-authored-by: Justin M. Keyes <[email protected]>
…scode into ec2/commentkeys
justinmk3
reviewed
Dec 11, 2024
justinmk3
approved these changes
Dec 11, 2024
Co-authored-by: Justin M. Keyes <[email protected]>
…scode into ec2/commentkeys
jpinkney-aws
pushed a commit
to jpinkney-aws/aws-toolkit-vscode
that referenced
this pull request
Jan 6, 2025
…s#6197) ## Problem Each EC2 remote vscode connection wipes the remote `.ssh/authorized_keys` file as a preventative measure to leaving stale keys there. However, we can do better by adding comments to the keys we add to this file, then selectively removing those keys on subsequent connections. ## Solution - Whenever we send keys to the instance, use `sed` to wipe all of the keys added by us. - determine keys added by us using a hint comment `#AWSToolkitForVSCode`. --- - Treat all work as PUBLIC. Private `feature/x` branches will not be squash-merged at release time. - Your code changes must meet the guidelines in [CONTRIBUTING.md](https://github.com/aws/aws-toolkit-vscode/blob/master/CONTRIBUTING.md#guidelines). License: I confirm that my contribution is made under the terms of the Apache 2.0 license. --------- Co-authored-by: Justin M. Keyes <[email protected]>
karanA-aws
pushed a commit
to karanA-aws/aws-toolkit-vscode
that referenced
this pull request
Jan 17, 2025
…s#6197) ## Problem Each EC2 remote vscode connection wipes the remote `.ssh/authorized_keys` file as a preventative measure to leaving stale keys there. However, we can do better by adding comments to the keys we add to this file, then selectively removing those keys on subsequent connections. ## Solution - Whenever we send keys to the instance, use `sed` to wipe all of the keys added by us. - determine keys added by us using a hint comment `#AWSToolkitForVSCode`. --- - Treat all work as PUBLIC. Private `feature/x` branches will not be squash-merged at release time. - Your code changes must meet the guidelines in [CONTRIBUTING.md](https://github.com/aws/aws-toolkit-vscode/blob/master/CONTRIBUTING.md#guidelines). License: I confirm that my contribution is made under the terms of the Apache 2.0 license. --------- Co-authored-by: Justin M. Keyes <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Problem
Each EC2 remote vscode connection wipes the remote
.ssh/authorized_keysfile as a preventative measure to leaving stale keys there. However, we can do better by adding comments to the keys we add to this file, then selectively removing those keys on subsequent connections.Solution
sedto wipe all of the keys added by us.#AWSToolkitForVSCode.feature/xbranches will not be squash-merged at release time.License: I confirm that my contribution is made under the terms of the Apache 2.0 license.