Make EIC scripts compatible with macOS

[t0rr3sp3dr0]

Issue #, if available:

#33

Description of changes:

• Remove system UUID check as it is specific for Linux and Windows instances. Mac instances don't have the EC2 prefix on their UUID. A platform independent way of checking if the machine is indeed is an EC2 Instance is by Inspecting the instance identity document (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/identify_ec2_instances.html#inspect-document), already used by the script on a latter step. It's important to notice I did not implement the signature verification of the document as I considered it would be overkill.

• Change canonical paths of grep, mktemp, sed, and touch from /bin to /usr/bin. This change is also compatible with Linux.

• Change canonical paths of test /usr/binto/bin`. This change is also compatible with Linux.

• Use /tmp instead of /dev/shm, available on both Linux and macOS.

• Change regular expressions to make them compatible with macOS versions of find and sed. New expressions are still compatible with Linux.

• When running on macOS, generate a CA bundle with security find-certificate and set is as ca_path instead of using /etc/ssl/certs.

• Extract sha256sum and date -ud to functions that handle each operation in specific ways for Linux and macOS.

• Use existing sha256 function when calculating hashes.

• Rewrite sed expressions to be compatible with BSD and GNU versions of sed.

• Replace timeout 5 with & /bin/sleep 5; /bin/kill -KILL $! 2> /dev/null || : (http://blog.mediatribe.net/en/node/72/index.html) as macOS doesn't have it available. This can also be used on Linux.

• Replace grep -oP with sed -En to get accountId from JSON, using the same expression used to get AccessKeyId, SecretAccessKey, and Token from JSON.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

[t0rr3sp3dr0]

Steps to make it work on an EC2 Mac instance:

1. Install eic_curl_authorized_keys, eic_harvest_hostkeys, eic_parse_authorized_keys, and eic_run_authorized_keys to /opt/aws/bin

wget https://github.com/inloco/aws-ec2-instance-connect-config/archive/HEAD.zip
unzip ./HEAD.zip
rm ./HEAD.zip
cp ./aws-ec2-instance-connect-config-*/src/bin/* /opt/aws/bin

2. Reconfigure sshd to use EC2 Instance Connect

sed -ri 's|#(AuthorizedKeysCommand) .+|\1 /opt/aws/bin/eic_run_authorized_keys %u %f|g' /private/etc/ssh/sshd_config
sed -ri 's/#(AuthorizedKeysCommandUser) .+/\1 ec2-instance-connect/g' /private/etc/ssh/sshd_config

3. Create launch daemon at /Library/LaunchDaemons/com.amazon.aws.ec2-instance-connect.plist

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
        <key>KeepAlive</key>
        <dict>
                <key>SuccessfulExit</key>
                <false/>
        </dict>
        <key>Label</key>
        <string>com.amazon.aws.ec2-instance-connect</string>
        <key>Program</key>
        <string>/opt/aws/bin/eic_harvest_hostkeys</string>
        <key>RunAtLoad</key>
        <true/>
</dict>
</plist>

[arianvp]

Change canonical paths of grep, mktemp, sed, and touch from /bin to /usr/bin. This change is also compatible with Linux.

Could we please instead use /usr/bin/env <binary name> ? this is the correct portable way to find the location of a binary according to POSIX.

This way it will work on Linux, MacOS, NixOS and all the BSDs

[t0rr3sp3dr0]

That would be equivalent to not specifying the path: /usr/bin/env grep is the same as just grep. I’m not sure what’s the reason behind using canonical paths for all binaries, but I believe it’s either related to the PATH not being available or correctly set when the script is executed, or to avoid changes on PATH affecting the behaviour of the script.

Either way, it seems AWS is not open to contributions here. I even talked with the PM on AWS who is responsible for the Mac Instances on EC2, and he thanked me for the patch and said he would have someone take a look, but no one ever did.