Page MenuHomePhabricator

cloud-init defaults do not import SSH keys on GCE
Open, Requires assessmentPublicBUG

Description

In order for GCP to import ssh key's on 1.2.1 image the ssh and ssh-import-id modules need to be loaded. This does not allow GCE to create new users, but it will allow GCE to import SSH keys for users created on the instance. This is required to access newly created GCE instances otherwise an authorized key cannot be set for the vyos user.

Required cloud-init modules for function :

cloud_init_modules:
 - ssh
# The modules that run in the 'config' stage
cloud_config_modules:
 - vyos
 - ssh-import-id
# The modules that run in the 'final' stage
cloud_final_modules:
 - runcmd

Edit :

Note that this only works if cloud-init is restarted after VyOS has loaded as VyOS overwrites the authorized keys when it parses the configuration file. The only two options here would be to have it read the seeded keys into the config file or we don't use the GCP method of pushing SSH keys and instead seed the standard vyos password in the default configuration.

Details

Difficulty level
Unknown (require assessment)
Version
1.2.1
Why the issue appeared?
Will be filled on close

Event Timeline

joshua created this task.May 23 2019, 6:19 PM
joshua updated the task description. (Show Details)May 23 2019, 6:22 PM
joshua updated the task description. (Show Details)May 23 2019, 7:39 PM
joshua changed Difficulty level from Easy (less than an hour) to Unknown (require assessment).
UnicronNL added a subscriber: UnicronNL.EditedMay 23 2019, 8:25 PM

@joshua we do not use the ssh and the ssh-import-id as the ssh keys need to be set by vyos config.

in the metadata ssh keys you need to set the ssh key with the ending of the vyos username.

for example for you i see a lot of Joshua keys. but those do not work, only keys with the vyos username work.

so ssh-rsa AAAAB3NzaC1yc2EAAAADAetcetc vyos

so all keys with the vyos username work for login

pasik added a subscriber: pasik.May 24 2019, 6:20 AM