Amazon EC2 SSH Public Keys via IAM Service

    There will come a day when we can provision users and provide the necessary authorization to required enterprise resources with easy, but until that day comes there will be hacks like this one.

    This is very much Proof of Concept (PoC), I have not tested this beyond my network, and there would be a lot of angles to consider with any type of deployment, security (sanitization and additional logic), IAM SSH Public Keys were designed for CodeCommit, and other unknowns.

    My first attempt was to create a PAM module that would authenticate SSH users via aws-sdk-cpp libraries, accessing the API using instance profile / EC2 IAM roles, allowing EC2 instances to obtain credentials to access the information. This seemed like a good route, but trying to hack a PAM module together that would be portable enough for distribution would be a challenge, static versions of aws-sdk-cpp, etc. I will revisit this in the future, but for now, I will move on.

    On my second attempt, I create a Bash script that would produce the correct output for SSH AuthorizedKeysCommand directive using SSH public keys from AWS IAM service via awscli. As the EC2 instance can utilize the instance profile role via aws command. This didn’t come without headaches, permission issues, etc.

    Jan 26, 2017 · Filed in: AWS, EC2, IAM
    Reading Time: 4 minute(s)

    Troubleshooting VMware ESXi iSCSI Connections from CLI

    Troubleshooting iSCSI connections… we have all been there, at the data center or your desk trying to solve some dead path issue. I like to drop back to the CLI for this task as it’s much easier to get the information out of VMware for troubleshooting purposes, and the Web clients don’t always have the most current information, without requiring a refresh.

    First, let’s get a physical layout of the land we are dealing with on this host.

    [root@esxi:~] esxcfg-nics -l
    Name    PCI          Driver      Link Speed     Duplex MAC Address       MTU   
    vmnic0  0000:01:00.0 tg3         Up   1000Mbps  Full   b8:2a:72:dc:2d:e8 1500
    vmnic1  0000:01:00.1 tg3         Up   1000Mbps  Full   b8:2a:72:dc:2d:e9 1500
    vmnic2  0000:02:00.0 tg3         Up   1000Mbps  Full   b8:2a:72:dc:2d:ea 9000
    vmnic3  0000:02:00.1 tg3         Up   1000Mbps  Full   b8:2a:72:dc:2d:eb 9000
    vmnic4  0000:05:00.0 tg3         Up   1000Mbps  Full   00:0a:f7:64:54:9c 1500
    vmnic5  0000:05:00.1 tg3         Up   1000Mbps  Full   00:0a:f7:64:54:9d 1500
    vmnic6  0000:05:00.2 tg3         Up   1000Mbps  Full   00:0a:f7:64:54:9e 9000
    vmnic7  0000:05:00.3 tg3         Up   1000Mbps  Full   00:0a:f7:64:54:9f 9000
    [root@esxi:~]
    
    Sep 1, 2016 · Filed in: ESXi, iSCSI
    Reading Time: 3 minute(s)

    VMware vSphere ESXi iSCSI Walk

    Recently I found myself having to perform a walk of physical connections of some ESXi hosts and two (2) QNAP storage arrays being used for storage of VMware Virtual Machines (VM). The idea was to remove the Network Port Binding from two (2) of the four (4) iSCSI VMK adapters, move the adapters to the destination switch.

    The first step was to remove the two (2) VMK adapters network bindings from the ESXi host, forcing the iSCSI traffic to the remaining two (2) VMK adapters that are still binding.

    ESXi iSCSI Network Port Binding
    Aug 5, 2016 · Filed in: ESXi, iSCSI
    Reading Time: 2 minute(s)

    Reset and Setup Dell EqualLogic Array

    I recently had to reset and set up a Dell EqualLogic PS4000 SAN array. At the same time, I decided to upgrade the firmware on the array, before placing it back into production. This a rough transcript and comments of that process.

    Jul 17, 2016 · Filed in: Dell, EqualLogic
    Reading Time: 8 minute(s)