Also while thinking about it, ~5-8 curl calls fro every SSH login can be quite expensive. I know it fortunately has an early exit but that still is 2 curl requests.
If this is installed in any place without the endpoint at 169.254.169.254 being responsive and super fast this could lead to a very bad user experience. Examples: 1. it checks the instance-id via curl, only then locally if it runs on EC2 I think it really should check that ahead of time 2. (more of a general design issue); doing that on every login feels like a massive overhead. Think of remote configuration management software that expects to run hundreds of ssh calls per second. We were bitten in the past by issues there e.g. slow MOTD generated on login. I really would want all those scripts to do some rate-limiting. That is either a full design change away from AuthorizedKeysCommand (probably too complex), or and that might be more doable a rate limit. Let it timestamp itself and do any execution except this check only once per 5 seconds. For an example load with 100 logins per second for 10 seconds that would drop the overhead from 1000 to 2. And I think it would be fine to wait 5 sec for a new key to be active. @cyphermox can you bring that up with the developers who write on this as well? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1835114 Title: [MIR] ec2-instance-connect To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ec2-instance-connect/+bug/1835114/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
