Desktop AMI login security with NX

By Eric Hammond on August 3, 2011 5:25 AM | 0 Comments

Update 2011-08-04: Amazon Security did more research and investigated the desktop AMIs. They have confirmed that their software incorrectly flagged the AMIs (false positive) and they caught it in time to stop the warning emails from going out to users.

These AMIs include the NX software for remote desktop operation and the way that NX implement login authentication with ssh is convoluted, but secure. I can easily understand why it might have looked like there were potential problems with the AMIs, and I’m glad things turned out well.

As always, hats off to the hard working folks at AWS and thank for all the great products and services.

Original message:

If Amazon AWS/EC2 contacts you with a warning that one of my AMIs you are running contains a back door security hole with ssh keys or user passwords, please don’t be alarmed.

They just sent me a notice that all of my old Ubuntu and Debian desktop AMIs from 2008-2010 need to be taken down, but it was a misunderstanding of how the NoMachine NX software implements login security and I’m sure those AMIs just got caught up in their automated sweeps.

I sent an email to help Amazon to help explain why a fixed public ssh key in the AMI with a publicly known “private” ssh key is not a security risk in this instance (see command=”/usr/NX/bin/nxserver —login” in the authorized_keys2 file) but they might be sending out notices to users of these AMIs before they get my response.

You can read up on how NX authentication works securely here:

http://www.nomachine.com/ar/view.php?ar_id=AR02C00150

It’s the middle of the night for me, so I’ll publish more later, but I wanted to get the world out just in case there is alarm.

Note: There may be other reasons you should not run some of those AMIs, e.g., if they are of a release that is past end of life, but they don’t have open back doors that let me access them.

I’ve written about building AMIs securely recently and have been preaching this kind of stuff with EC2 for years.

Leave a comment

You Should Use EBS Boot Instances on Amazon EC2: EBS boot vs. instance-store If you are just getting started with Amazon EC2, then use EBS boot instances and stop…; By Eric Hammond | Comments (14)
Retrieve Public ssh Key From EC2: A serverfault poster had a problem that I thought was a cool challenge. I had so much fun coming up…; By Eric Hammond | Comments (0)
Running EC2 Instances on a Recurring Schedule with Auto Scaling: Do you want to run short jobs on Amazon EC2 on a recurring schedule, but don’t want to pay for…; By Eric Hammond | Comments (2)
AWS Virtual MFA and the Google Authenticator for Android: Amazon just announced that the AWS MFA (multi-factor authentication) now supports virtual or software MFA devices in addition to the…; By Eric Hammond | Comments (2)
Updated EBS boot AMIs for Ubuntu 8.04 Hardy on Amazon EC2 (2011-10-06): Canonical has released updated instance-store AMIs for Ubuntu 8.04 LTS Hardy on Amazon EC2. Read Ben Howard’s announcement on the…; By Eric Hammond | Comments (0)
New Release of Alestic Git Server: New AMIs have been released for the Alestic Git Server. Major upgrade points include: Base operating system upgraded to Ubuntu…; By Eric Hammond | Comments (0)
Using ServerFault.com for Amazon EC2 Q&A: The Amazon EC2 Forum has been around since the beginning of EC2 and has always been a place where you…; By Eric Hammond | Comments (2)
Rebooting vs. Stop/Start of Amazon EC2 Instance: When you reboot a physical computer at your desk it is very similar to shutting down the system, and booting…; By Eric Hammond | Comments (1)
Upper Limits on Number of Amazon EC2 Instances by Region: [Update: As predicted, these numbers are already out of date and Amazon has added more public IP address ranges for…; By Eric Hammond | Comments (5)
Unavailable Availability Zones on Amazon EC2: I’m taking a class about using Chef with EC2 by Florian Drescher today and Florian mentioned that he noticed one…; By Eric Hammond | Comments (3)
Desktop AMI login security with NX: Update 2011-08-04: Amazon Security did more research and investigated the desktop AMIs. They have confirmed that their software incorrectly flagged…; By Eric Hammond | Comments (0)
Updated EBS boot AMIs for Ubuntu 8.04 Hardy on Amazon EC2: For folks still using the old, reliable Ubuntu 8.04 LTS Hardy from 2008, Canonical has released updated AMIs for use…; By Eric Hammond | Comments (0)
Creating Public AMIs Securely for EC2: Amazon published a tutorial about best practices in creating public AMIs for use on EC2 last week: How To Share…; By Eric Hammond | Comments (2)
Canonical Releases Ubuntu 11.04 Natty for Amazon EC2: As steady as clockwork, Ubuntu 11.04 Natty is released on the day scheduled at least eleven months ago; and thanks…; By Eric Hammond | Comments (4)
EC2 Reserved Instance Offering IDs Change Over Time: This article is a followup to Matching EC2 Availability Zones Across AWS Accounts written back in 2009. Please read that…; By Eric Hammond | Comments (4)
My Experience With the EC2 Judgment Day Outage: Amazon designs availability zones so that it is extremely unlikely that a single failure will take out multiple zones at…; By Eric Hammond | Comments (12)
Alestic Git Server (alpha testing): I’m working on making it easy to start a centralized Git server with an unlimited number of private Git repositories…; By Eric Hammond | Comments (0)
Amazon EC2 Tokyo (ap-northeast-1) and Ubuntu AMIs: Amazon Web Services has launched a new EC2 region in Tokyo named ap-northeast-1. Canonical has released new AMIs in this…; By Eric Hammond | Comments (7)
Fixing Files on the Root EBS Volume of an EC2 Instance: You can examine and edit files on the root EBS volume on an EC2 instance even if you are in…; By Eric Hammond | Comments (0)
New Release of ec2-consistent-snapshot and Screencast by Ahmed Kamal: ec2-consistent-snapshot is a tool that uses the Amazon EC2 API to initiate a snapshot of an EBS volume with some…; By Eric Hammond | Comments (4)