On Google Cloud Platform, adding SSH keys in Metadata (project-wide public SSH keys). It can help to ssh to every VM instances on Compute Engine easily but it's not a good idea. We are able to do for test, but should not use on Production. We should add SSH Key in OS login.
https://cloud.google.com/compute/docs/instances/adding-removing-ssh-keys#risks
Question: How can we block SSH Keys from Metadata(project-wide public SSH keys) on VM instance?
Answer: We can block by checking "Block project-wide SSH keys" on each instance.
In case we have SSH Key on metadata. We are able to ssh by using private key and login like.
So, we block it... On "Compute Engine" - "VM Instances", click [instance name] and "Edit". To check "Block project-wide SSH keys" and "Save".
VM instance should refuse Key what 's not in SSH Keys of VM instance. (You can remove SSH Keys of project owner on instance, but it will be automatic added when you click "SSH" on GUI).
Additional, we should review and remove SSH Keys in metadata(project-wide public SSH keys), if we ensure we have not used. (Don't remove ssh key of project owner).
After removing, We would like to add SSH Key and don't want to add it in OS login. We are able to add it in SSH Keys on Instance like.
Assume: username is "myuser".
First of all, we have to generate Private and Public Keys. Example uses "PuTTY Key Generator". Because I use "Putty.
Then "Save private key" (We have to use when putty to server) and "Save public key".
To use public key on VM instance, click "Add item".
Example: It's [public key] [username]
then "Save".
Note: In picture, it's highlight about [username]
Open "putty", select "Private key file for authentication", fill in ip address and connect.
Assume: username is "myuser".
First of all, we have to generate Private and Public Keys. Example uses "PuTTY Key Generator". Because I use "Putty.
Then "Save private key" (We have to use when putty to server) and "Save public key".
To use public key on VM instance, click "Add item".
Example: It's [public key] [username]
then "Save".
Note: In picture, it's highlight about [username]
Open "putty", select "Private key file for authentication", fill in ip address and connect.
it's easy, right?
myuser@centos7:~$ idIf we use command "id [user in project-wide SSH keys], we still see it, but it's unable to ssh on this VM instance.
uid=1003(myuser) gid=1004(myuser) groups=1004(myuser),4(adm),30(dip),44(video),46(plugdev),1000(google-sudoers)
myuser@centos7:~$ id opun
uid=1001(opun) gid=1002(opun) groups=1002(opun),4(adm),30(dip),44(video),46(plugdev),
Reference:
Posts
No comments:
Post a Comment