cloud engineer
If you have trouble cloning a github repo using https, you can tell it to switch to SSH instead.
Here’s the command.
git config --global url.ssh://git@github.com/.insteadOf https://github.com/ |
I had to specify reconfigure when I ran terraform init.
terraform init --reconfigure |
Allow shared key access only for one user in SSH.
Disable the password authentication for one user in your SSH config. Edit /etc/ssh/sshd_config.
Match User username PasswordAuthentication no |
Restart the SSH service.
service ssh restart |
Copy user’s public key to the destination server’s authorized file in ~/.ssh/authorized_keys.
ssh-rsa AAAAxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx <-- public key goes on for miles |
Back on your client, login via SSH. User will not be prompted for password since public key is already authorized on server.
ssh username@server |
There are a few issues that prop up every once in a while with gcloud compute ssh. gcloud compute ssh creates local user at first login. The account password has a default expiration of 90 days. If unable to login, you can try logging in as a different name (even a fictitious name) e.g. superheroes, etc. something unique.
gcloud compute ssh username@servername --zone us-central1-c --project project-id --internal-ip |
Once logged in, you can delete local users with expired passwords or perform other admin tasks.
userdel -r username |
You can also try to run chage to adjust the password expiration.
chage -M 180 username (extends expiration from 90 to 180 days) |
If you continue to have login issues, you can also delete Metadata SSH keys in both the instance and project levels.
Last resort you can use force key overwrite which will regenerate a new key and overwrite broken ssh keys.
gcloud compute ssh username@servername \ --force-key-file-overwrite \ --zone us-central1-c \ --project project-id \ --internal-ip |
If you are getting this return code [1] error, check if enable-oslogin metadata is set to TRUE in your VM.
Here’s the error when logging in.
gcloud compute ssh your-server-name \ --zone us-central1-a \ --project your-project-id \ --internal-ip & ERROR: (gcloud.compute.ssh) [C:\Program Files (x86)\Google\Cloud SDK\google-cloud-sdk\bin\sdk\plink.exe] exited with return code [1]. |
Remove metadata.
gcloud compute instances remove-metadata your-server-name \ --keys=enable-oslogin \ --zone us-central1-a \ --project your-project-id Updated [https://www.googleapis.com/compute/v1/projects/your-project-id/zones/us-central1-a/instances/your-server-name]. |
Run gcloud ssh again.
gcloud compute ssh your-server-name \ --zone us-central1-a \ --project your-project-id \ --internal-ip & [1] 1257 |
This time it opens up a Putty session and you’re able to login.
Here’s my custom ssh script named login.sh using multiple arguments.
#!/bin/bash if [ $# -eq 0 ] then echo 'no server supplied' exit 1 fi INPUT=$2 case "$INPUT" in abc) ssh user1@$1 ;; def) ssh user2@$1 ;; *) ssh user3@$1 ;; esac |
How to use with expected outputs.
./login.sh no server supplied ./login.sh server3 abc ssh user1@server3 ./login.sh server2 def ssh user2@server2 ./login.sh server1 ssh user3@server1 |
Here’s how to keep your SSH timeout alive for a longer period.
Edit /etc/ssh/sshd_config. Adjust interval and count max.
ClientAliveInterval 1200 ClientAliveCountMax 3 |
ClientAliveInterval is set to 1200 and ClientAliveCountMax is set to the default which is 3. This means unresponsive SSH clients will be disconnected after approximately 3600 seconds or 1 hour.
AWS LightSail now has the ability to restrict IP addresses in their firewall rules. LightSail instances can now be secured by limiting firewall rules from an IP CIDR block or a single IP address. For example, you can restrict who can SSH into your instance by limiting it to just your IP address, so only you can SSH into your machine. Another feature AWS added in their LightSail firewall is support for ping, which could be helpful for monitoring and checks.
Here’s the command to copy a secret key to a remote server.
ssh-copy-id user@servername |
This assumes you already generated a key.