Home » Posts tagged "ssh" (Page 4)

AWS EC2 全面支援 64bits,並補上產品線...

之前用 AWS EC2 的人常遇到的狀況是,t1.micro 記憶體太小會常常 out of memory (用 EBS 硬撐當 swap 效能不好),但 m1.small 只能跑 32bits,為他做完整的 32bits image 維護成本實在不划算,因為等到之後變大後又得改做一份 64bits 的 image,如果從 t1.micro 改用 m1.large 又嫌太大台...

現在這個問題總算是解決了:「Announcing three new Amazon EC2 features」,EC2 這次提供新功能包括:

  • 推出新的 instance 種類 m1.medium,收費是 m1.small 的兩倍,所以規格大致上也是 m1.small 的兩倍,其中記憶體是 3.5GB RAM。
  • m1.small 與 m1.medium 除了可以跑 32bits 以外,也可以跑 64bits。

於是本來的問題可以用不同方向解決:

  • 本來做的 32bits image 當 m1.small 不夠用時也可以先拿 m1.medium 擋著。
  • 既然所有 EC2 instances 都可以跑 64bits,以後只要做 64bits image 就好了。
  • 同樣的,現在用 m1.large 嫌太大台的可以降到 m1.medium 或是 m1.small。

另外這次提供 Java SSH client,可以讓你直接在 Web Console 上面一貫作業,這個就比較用不到了...

GitHub 要求全面檢查 SSH Key

GitHub 被攻擊成功後 (參考 GitHub 官方所說的「Public Key Security Vulnerability and Mitigation」這篇),官方除了把漏洞修補完以外,接下來做了更積極的措施:暫停所有的 SSH key 存取權限,一律等到用戶 audit 確認過後才開放:「SSH Key Audit」。

這次 GitHub 除了修正問題、audit key 以外,另外還提出了新的機制讓用戶更容易發現異常存取行為,包括了:

  • 新增 SSH public key 時要輸入密碼。
  • 新增 SSH public key 成功後會寄信通知。
  • 新增「Security History」頁面可以看到帳戶的安全狀況。

算是很積極補救的作法。

另外說明,要如何 audit key,也就是要如何取得你的 public key fingerprint:

ssh-keygen -lf .ssh/id_rsa.pub (如果你是用 RSA)
或是
ssh-keygen -lf .ssh/id_dsa.pub (如果你是用 DSA)

出現的訊息就是你要比對的值。記住!既然是 audit,請一個一個比對確認 fingerprint 全部都正確。

附上原始信件:(好像還沒在 blog 上說明)

A security vulnerability was recently discovered that made it possible for an attacker to add new SSH keys to arbitrary GitHub user accounts. This would have provided an attacker with clone/pull access to repositories with read permissions, and clone/pull/push access to repositories with write permissions. As of 5:53 PM UTC on Sunday, March 4th the vulnerability no longer exists.

While no known malicious activity has been reported, we are taking additional precautions by forcing an audit of all existing SSH keys.

# Required Action

Since you have one or more SSH keys associated with your GitHub account you must visit https://github.com/settings/ssh/audit to approve each valid SSH key.

Until you have approved your SSH keys, you will be unable to clone/pull/push your repositories over SSH.

# Status

We take security seriously and recognize this never should have happened. In addition to a full code audit, we have taken the following measures to enhance the security of your account:

- We are forcing an audit of all existing SSH keys
- Adding a new SSH key will now prompt for your password
- We will now email you any time a new SSH key is added to your account
- You now have access to a log of account changes in your Account Settings page
Sincerely, The GitHub Team

--- https://github.com support@github.com

PuTTY 0.61

昨天看到 PuTTY 出 0.61 了:「PuTTY version 0.61 is released」,相隔四年多的另外一個新版。

看 New features 裡面,我看到一點還蠻有趣的:

On Windows: the Appearance panel now includes a checkbox to allow the selection of non-fixed-width fonts, which PuTTY will coerce into a fixed-width grid in its terminal emulation. In particular, this allows you to use GNU Unifont and Fixedsys Excelsior. (Thanks to Randall Munroe for a serious suggestion that inspired this.)

這代表可以用各種奇怪的字體嗎?主力系統換成 Ubuntu 後就沒用 PuTTY 了...

AWS EC2 可以匯入自己的 SSH public key 了...

今天 AWS EC2 一口氣丟出一堆小功能:

其實這些功能都沒什麼大不了的,Idempotent Instance Creation 可以避免重複產生 instance,而 Resource Tagging 暫時想不到用途,Filtering 則是 describe 的功能加強...

對現在最有幫助的是第四個,ssh 時可以不用指定 -i .ssh/ooxx.pem 算是有直接影響的吧?目前還不能透過 Web Console 匯入,必須用 ec2-import-keypair 指令匯入。

Archives