Uly.me

cloud engineer

ssh

Google SDK SSH Mac Terminal

I’m having trouble logging in using Google SDK Compute SSH on a Mac Terminal.

Here’s the fix.

gcloud compute ssh USERNAME@SERVER --zone ZONE --project PROJECTID --internal-ip 2>&1

There was an issue with a redirect to another shell.

Git Switch from HTTPS to SSH

If you have trouble cloning a github repo using https, you can tell it to switch to SSH instead.

Here’s the command.

git config --global url.ssh://git@github.com/.insteadOf https://github.com/

I had to specify reconfigure when I ran terraform init.

terraform init --reconfigure

Allow Key Access for user in SSH

Allow shared key access only for one user in SSH.

Disable the password authentication for one user in your SSH config. Edit /etc/ssh/sshd_config.

Match User username
  PasswordAuthentication no

Restart the SSH service.

service ssh restart

Copy user’s public key to the destination server’s authorized file in ~/.ssh/authorized_keys.

ssh-rsa AAAAxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx <-- public key goes on for miles

Back on your client, login via SSH. User will not be prompted for password since public key is already authorized on server.

ssh username@server

GCP SSH Issues Return Code [1]

If you are getting this return code [1] error, check if enable-oslogin metadata is set to TRUE in your VM.

Here’s the error when logging in.

gcloud compute ssh your-server-name \
--zone us-central1-a \
--project your-project-id \
--internal-ip &
ERROR: (gcloud.compute.ssh) [C:\Program Files (x86)\Google\Cloud SDK\google-cloud-sdk\bin\sdk\plink.exe] exited with return code [1].

Remove metadata.

gcloud compute instances remove-metadata your-server-name \
--keys=enable-oslogin \
--zone us-central1-a \
--project your-project-id
Updated [https://www.googleapis.com/compute/v1/projects/your-project-id/zones/us-central1-a/instances/your-server-name].

Run gcloud ssh again.

gcloud compute ssh your-server-name \
--zone us-central1-a \
--project your-project-id \
--internal-ip &
[1] 1257

This time it opens up a Putty session and you’re able to login.

SSH Script

Here’s my custom ssh script named login.sh using multiple arguments. 

#!/bin/bash
if [ $# -eq 0 ]
  then
    echo 'no server supplied'
        exit 1
fi
INPUT=$2
case "$INPUT" in
  abc)
    ssh user1@$1
    ;;
  def)
    ssh user2@$1
    ;;
  *)
    ssh user3@$1
    ;;
esac

How to use with expected outputs.

./login.sh
no server supplied
./login.sh server3 abc
ssh user1@server3
./login.sh server2 def
ssh user2@server2
./login.sh server1
ssh user3@server1

Increase SSH Timeout

Here’s how to keep your SSH timeout alive for a longer period.

Edit /etc/ssh/sshd_config. Adjust interval and count max.

ClientAliveInterval 1200
ClientAliveCountMax 3

ClientAliveInterval is set to 1200 and ClientAliveCountMax is set to the default which is 3. This means unresponsive SSH clients will be disconnected after approximately 3600 seconds or 1 hour.

AWS LightSail Restrict IP Address

AWS LightSail now has the ability to restrict IP addresses in their firewall rules. LightSail instances can now be secured by limiting firewall rules from an IP CIDR block or a single IP address. For example, you can restrict who can SSH into your instance by limiting it to just your IP address, so only you can SSH into your machine. Another feature AWS added in their LightSail firewall is support for ping, which could be helpful for monitoring and checks.