Desktop AMI login security with NX

Update 2011-08-04: Amazon Security did more research and investigated the desktop AMIs. They have confirmed that their software incorrectly flagged the AMIs (false positive) and they caught it in time to stop the warning emails from going out to users.

These AMIs include the NX software for remote desktop operation and the way that NX implement login authentication with ssh is convoluted, but secure. I can easily understand why it might have looked like there were potential problems with the AMIs, and I’m glad things turned out well.

As always, hats off to the hard working folks at AWS and thank for all the great products and services.

Original message:

If Amazon AWS/EC2 contacts you with a warning that one of my AMIs you are running contains a back door security hole with ssh keys or user passwords, please don’t be alarmed.

They just sent me a notice that all of my old Ubuntu and Debian desktop AMIs from 2008-2010 need to be taken down, but it was a misunderstanding of how the NoMachine NX software implements login security and I’m sure those AMIs just got caught up in their automated sweeps.

I sent an email to help Amazon to help explain why a fixed public ssh key in the AMI with a publicly known “private” ssh key is not a security risk in this instance (see command="/usr/NX/bin/nxserver –login" in the authorized_keys2 file) but they might be sending out notices to users of these AMIs before they get my response.

You can read up on how NX authentication works securely here:

http://www.nomachine.com/ar/view.php?ar_id=AR02C00150

It’s the middle of the night for me, so I’ll publish more later, but I wanted to get the world out just in case there is alarm.

Note: There may be other reasons you should not run some of those AMIs, e.g., if they are of a release that is past end of life, but they don’t have open back doors that let me access them.

I’ve written about building AMIs securely recently and have been preaching this kind of stuff with EC2 for years.