From e66254dcc945a8000b2ad0674febd2f09de038ba Mon Sep 17 00:00:00 2001 From: Fernando Antivero Date: Thu, 7 Nov 2024 21:17:02 -0300 Subject: [PATCH] feat (deployment): [jumpbox] remove public key from cloud init file (#100) * remove sesentive identifiers * modify steps to generate a valid cloud init file * Address PR Feedback: improve steps wording * Address PR Feedback: create note for alternative modification path --- docs/deploy/07-aks-jumpbox-users.md | 40 +++++++++++++++++++++-------- jumpBoxCloudInit.yml | 4 +-- 2 files changed, 31 insertions(+), 13 deletions(-) diff --git a/docs/deploy/07-aks-jumpbox-users.md b/docs/deploy/07-aks-jumpbox-users.md index 0f01b969..39cbf119 100644 --- a/docs/deploy/07-aks-jumpbox-users.md +++ b/docs/deploy/07-aks-jumpbox-users.md @@ -15,26 +15,44 @@ Following these steps, you'll end up with an SSH public-key-based solution that ## Steps 1. Open `jumpBoxCloudInit.yml` in your preferred editor. -1. Add/remove/modify users following the two examples in that file. You need **one** user defined in this file to complete this walk through (*more than one user is fine*, but not necessary). 🛑 +1. Inspect the two users examples in that file. You need **one** user defined in this file to complete this walk through (*more than one user is fine*, but not necessary). 🛑 1. `name:` set to whatever you login account name you wish. (You'll need to remember this later.) 1. `sudo:` - Suggested to leave at `False`. This means the user cannot `sudo`. If this user needs sudo access, use [sudo rule strings](https://cloudinit.readthedocs.io/en/latest/topics/examples.html?highlight=sudo#including-users-and-groups) to restrict what sudo access is allowed. 1. `lock_passwd:` - Leave at `True`. This disables password login, and as such the user can only connect via an SSH authorized key. Your jump box should enforce this as well on its SSH daemon. If you deployed using the image builder in the prior step, it does this enforcement there as well. - 1. In `ssh-authorized-keys` replace the example public key for the user. This must be an RSA key of at least 2048 bits and **must be secured with a passphrase**. This key will be added to that user's `~/.ssh/authorized_keys` file on the jump box via the cloud-init bootstrap process. If you need to generate a key pair you can execute this command: + 1. In `ssh-authorized-keys` replace the `` placeholder with an actual public ssh public key for the user. This must be an RSA key of at least 2048 bits and **must be secured with a passphrase**. This key will be added to that user's `~/.ssh/authorized_keys` file on the jump box via the cloud-init bootstrap process. - ```bash - ssh-keygen -t rsa -b 4096 -f opsuser01.key - cat opsuser01.key.pub - ``` +1. Generate an SSH key pair to use in this walkthrough. - **Enter a passphrase when requested** (*do not leave empty*) and note where the public and private key file was saved. The *public* key file *contents* (`opsuser01.key.pub` in the example above) is what is added to the `ssh-authorized-keys` array in `jumpBoxCloudInit.yml`. You'll need the username, the private key file (`opsuser01.key`), and passphrase later in this walkthrough. + ```bash + ssh-keygen -t rsa -b 4096 -f opsuser01.key + ``` + + **Enter a passphrase when requested** (*do not leave empty*) and note where the public and private key file was saved. The *public* key file *contents* (`opsuser01.key.pub` in the example above) will be used in the `jumpBoxCloudInit.yml` file. You'll need the username, the private key file (`opsuser01.key`), and passphrase later in this walkthrough. + + > On Windows, as an alternative to Bash in WSL, you can use a solution like PuTTYGen found in the [PuTTY installer](https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html). + > + > Azure also has an SSH Public Key resources type that allows you to [generate SSH keys](https://learn.microsoft.com/azure/virtual-machines/ssh-keys-portal) and keep public keys available as a managed resource. + +1. Run the following command to overwrite the `jumpBoxCloudInit.yml` file with a new user configuration that uses the SSH key you generated: + + ```bash + cat < jumpBoxCloudInit.yml - + #cloud-config + users: + - default + - name: opsuser01 + sudo: False + lock_passwd: True + ssh-authorized-keys: + - $(cat opsuser01.key.pub) + EOF + ``` + + > Alternatively, you can manually modify the existing `jumpBoxCloudInit.yml` file to add/remove users and ssh authorized keys. - > On Windows, as an alternative to Bash in WSL, you can use a solution like PuTTYGen found in the [PuTTY installer](https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html). - > - > Azure also has an SSH Public Key resources type that allows you to [generate SSH keys](https://learn.microsoft.com/azure/virtual-machines/ssh-keys-portal) and keep public keys available as a managed resource. 1. *Optional 🛑.* Remove the `- default` line to remove the default admin user from the jump box. If you leave the `- default` line in the file, then the default admin user (defined in the cluster's ARM template as pseudo-random name to discourage usage) will also exist on this jump box. We do not provide any instructions on setting up this default user to be a valid user you can access, and as such you might wish to simply remove it from the jump box. That user has unrestricted sudo access, by default. Unfortunately, you cannot directly deploy the jump box infrastructure with this user removed, so removing it via cloud-init is a common resolution -- by not including `- default` in this file. -1. Save the `jumpBoxCloudInit.yml` file. You *cannot* use the provided example keys in this file as you do not have the private key to go with them, **you must update this file following the instructions above or you will not be able to complete this walkthrough.** 1. You can commit this file change if you wish, as the only values in here are public keys, which are not secrets. **Never commit any private SSH keys.** ### Next step diff --git a/jumpBoxCloudInit.yml b/jumpBoxCloudInit.yml index 22fbea41..2593b4de 100644 --- a/jumpBoxCloudInit.yml +++ b/jumpBoxCloudInit.yml @@ -5,9 +5,9 @@ users: sudo: False lock_passwd: True ssh-authorized-keys: - - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC0dQuUR0xhsjBbm3otMMIR88hELkXkxjxOCxQ4iKa9CqOoDYUCl20QY+OtpCnviD6/UYPqzee/EzI/L3cYRZulw9kMeYGME4t5c3iDahU+czZDPnd0hvSQvK5havgAr5120Cg6sTRnK10G3kyEz8pMSwSp9CXAOF3l1kRHENpO2jxp3BomRIQl5/HHrIJUXHVgfZ3yVy3oSymaTiCa8FWq/gtE0HWxonmENROdGHVerccotH0T26x4NGTeXrSTt3Xn7GUF2J851CgK+1kl8/P7Pe5Zm2bqNQXEbiZWni+3TtHjaA3rEU/aFuEEVrpeRXjm3GRGgo1cAneIh9eR4azmLPQZeSXKdkTE+cZebtnpUL+hs1V78cDfmycyeCtRZ1lr3gml780/qmcrpyCIAgOIaw1NwlQUAtrVvzvpkYzPdmsQAJpUo1LRs5c0rXWmXDJ2Z56W9l1rfF4WIPd7KR+CT6V+blhPuYnZp/514dFQPJVYim6RYQf++z4HSTnGJFaTc+5GsMh//d1oxf1c05aOZlmk3fWLWbqxhNdOf+aulCYtDyuSrOhOQNZvX+Gnss4IsfrulvuiRHM7zpxjurE48XELRMEj2ZUwL004+xc/y8nkH5RfS5uwshVrhgbl40kURfrFig1F3q/lI+jMICLDkHfrqpC9ylir24+KL96/NQ== + - - name: opsuser02 sudo: False lock_passwd: True ssh-authorized-keys: - - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDLdYkQZqs+RqQwirjOUMKT0aVJxnjOy9nmFnac7/oKhMsMmxaHk66CUeLBGViF9tyPqqP6PgojOOWLkOyfk+Zt91u7vg2xtyogwtNpr1wxMP2p9mWG/kQnYZMk8QjhWlj0oSiLdnVqLj4wqdja7I0NtimaUMquOf2uWSmLMgeWsMjg+jq4O82j6inONkMXEZLRU5Yd+QIW5heXRpT4hFR6HQR46mI/8GXXM8uHpGPrFIeaahD3ECkET17TGbwJ+QxNWRVnFujGqYH9qDl8NNsQwGUltrfwqRMp3n4oy1WCDMyXDpMMCHRJqRZCTMgIUo0Yw6E++ZhQ85sbQSRnmrMeJwL5AaA77zEt83ETBMg9j5OQUbOxpf8ySxd3APRNQKfXdLtheUkR2dBlpE3f5dfvUSAjgJiChFDIKd617vdwUXOat9AMGDMOl/8XWMb2uGgo8OQdNPW/J2scgn8/EeZMcAAEyZdEPOBODGb/xgWDFBACYAtP/GOsx628aaO5H4KheYKsdPtIorOKjg/pgAhUXTS3He6YlXwrVYR8QpHSxoG2osYFcW5/bPE3QaHLQ90XKKkN8xeS1/Qh6+3O+NIHisMMSXumEadESiL7bA0YlSqoHbPoRh0/38i8iLtTllfGyqgArwT6iiQzqkoefCbiN6OrPeVe4y4AXZREux1AXQ== \ No newline at end of file + - \ No newline at end of file