user-data has too wide permission on AWS backend

[spinus]

I created a bunch of machines (nixops 1.4, but I think 1.3 had the same thing). There is /root/user-data file with content:

SSH_HOST_ED25519_KEY_PUB:ssh-ed25519 AAAAC3NzaC1lZDaaaaaaaaaaaaaaaaaaaaaaaS+cdkk NixOps auto-generated key
SSH_HOST_ED25519_KEY:-----BEGIN OPENSSH PRIVATE KEY-----|b3BlbnxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxAgME|-----END OPENSSH PRIVATE KEY-----|

this file has permissions like:

-rw-r--r-- 1 root root 573 Sep  2 14:14 user-data

Looks like permissions are too wide and someone could copy the private key. Also this private key is copied to /root/.ssh/id_charon_vpn (and this file has OK permissions, rw for root).

Is it some legacy stuff and should be removed or is it something used and should fixed?

[edolstra]

The key in the user data is a temporary key only used while creating the machine, when there are no other users. It's then replaced by the actual key (see https://github.com/NixOS/nixops/blob/master/nixops/backends/ec2.py#L991).

Once upon a time we didn't replace the key, so we had a blackhole route to prevent access to the metadata server, but that's no longer needed.

[edolstra]

/root/.ssh/id_charon_vpn is a different key by the way. It's the private client key allowing the machine to create tunnels to other machines.

[spinus]

@edolstra thanks for explaining.

1. Should user-data been removed after key is replaced?
2. /root/.ssh/id_charon_vpn - indeed is different key, sorry for false alarm. I just compared not enough characters :-)

[edolstra]

AFAIK, there is no way to remove/change user data after instance creation. If there were, we wouldn't have to generate a new host key, we could just wipe the user data.

[spinus]

Do you think it's worth to add this info to documentation or add description field to user-data with information for people that this is only one-time key?

[spinus]

Should I make something to improve this (if yes, what could be the good way) or close the ticket?