Inject SSH Keys into your Cloud Servers Using This Simple Bash Script

You can use bash to automate many things for your cloud servers. At CloudSigma we use bash scripts with many of our library images to automate useful features.

In this post we share with you how you can use bash to import SSH keys automatically on boot-up of your cloud servers. You can achieve this by combining bash scripts with the metadata framework available with your cloud VMs.

Our Metadata Framework – An Introduction

SSH keys are included as part of the metadata framework. Metadata is passed to the API through the UI by means of JSON objects.

The API processes the information and then sends it to the serial console. The Linux/Unix distribution reads the metadata (including any SSH keys) from the serial console. In our case, this is /dev/ttyS1.

tty is an abbreviation for “Teletype” and the S1 means the COM2 port. Please note, that on the Windows OS this would appear just as COM2.

This is exactly the same framework we use in our library images to let customers inject SSH keys, but now you can set this up on your own systems that you upload to the cloud or create from scratch.

Bash Scripting¹

Let’s say some words about bash scripting…

A bash/shell script contains a sequence of commands which are stored in a single file with a .sh extension. This saves time, instead of writing the same commands again and again. Instead, you need only to type the name of the script.

So now I’ll outline the bash/shell script that can be used for fetching public SSH keys automatically from the metadata of a CloudSigma cloud server on boot.

Also, there is an additional useful functionality – the ability to determine what kind of SSH authentication you are using and to disable the other one i.e. automatic disabling of password login if you have an SSH key injected on boot.

What this means is that the script checks if you have any associated SSH keys in the cloud server metadata and if you have, the password authentication will be disabled.

And the reverse – if you don’t have any attached SSH keys, the RSA authentication will be disabled. I think, in this way it’s more secure because if you are using RSA authentication with SSH keys you don’t need password based access which is not as auditable or controllable.

The main goal is to make things as convenient and easy as possible, especially for new users.

stty -F /dev/ttyS1 raw -echo
chmod 700 /home/cloudsigma/.ssh
v=$(read READVALUE &lt; /dev/ttyS1 &amp;&amp; echo $READVALUE &amp; sleep 2; echo -en "" &gt; /dev/ttyS1; wait %1);
s=$(echo $v | grep -Po '"ssh_public_key":.*?[^\\]",' | awk '/\"*\"/{ print $2, $3, $4}' | sed s'/[,"]//g');
s_trimmed="$(echo "${s}" | sed -e 's/^[[:space:]]*//' -e 's/[[:space:]]*$//')"
if [ -n "$s_trimmed" ]; then
echo $s_trimmed &gt;&gt; /home/cloudsigma/.ssh/authorized_keys
fi
chmod 600 /home/cloudsigma/.ssh/authorized_keys
chown -R cloudsigma:cloudsigma /home/cloudsigma

if [ `ls -l /home/cloudsigma/.ssh/authorized_keys | awk '{print $5}'` -lt 10 ]
then
echo "Authorized keys file is empty. Enable password authentication"
sed -i 's|RSAAuthentication yes|RSAAuthentication no|g' /etc/ssh/sshd_config
sed -i 's|PubkeyAuthentication yes|PubkeyAuthentication no|g' /etc/ssh/sshd_config
else
echo "There is content in authorized keys file. Disable password authentication"
sed -i 's|PasswordAuthentication yes|PasswordAuthentication no|g' /etc/ssh/sshd_config
sed -i 's|UsePAM yes|UsePAM no|g' /etc/ssh/sshd_config
fi
exit

stty -F /dev/ttyS1 raw -echo

chmod 700 /home/cloudsigma/.ssh

v=$(read READVALUE < /dev/ttyS1 && echo $READVALUE & sleep 2; echo -en "" > /dev/ttyS1; wait %1);

s=$(echo $v | grep -Po '"ssh_public_key":.*?[^\\]",' | awk '/\"*\"/{ print $2, $3, $4}' | sed s'/[,"]//g');

s_trimmed="$(echo "${s}" | sed -e 's/^[[:space:]]*//' -e 's/[[:space:]]*$//')"

if [ -n "$s_trimmed" ]; then

echo $s_trimmed >> /home/cloudsigma/.ssh/authorized_keys

chmod 600 /home/cloudsigma/.ssh/authorized_keys

chown -R cloudsigma:cloudsigma /home/cloudsigma

if [ `ls -l /home/cloudsigma/.ssh/authorized_keys | awk '{print $5}'` -lt 10 ]

then

echo "Authorized keys file is empty. Enable password authentication"

sed -i 's|RSAAuthentication yes|RSAAuthentication no|g' /etc/ssh/sshd_config

sed -i 's|PubkeyAuthentication yes|PubkeyAuthentication no|g' /etc/ssh/sshd_config

else

echo "There is content in authorized keys file. Disable password authentication"

sed -i 's|PasswordAuthentication yes|PasswordAuthentication no|g' /etc/ssh/sshd_config

sed -i 's|UsePAM yes|UsePAM no|g' /etc/ssh/sshd_config

exit

Finally, this is how you inject SSH Keys into your cloud servers. As we can see, the script reads the value from /dev/ttyS1. If there is a key, it will be pasted into authorized_keys file. It is located in ~/.ssh/authorized_keys.

In our case, the default username is cloudsigma.

Also, in the above script, I’m using sed. It is a stream editor in order to enable or disable RSA and password authentication within the sshd_config file.

We need to be sure that the following options are uncommented/present in the sshd_config file as well:

RSAAuthentication yes
PubkeyAuthentication yes
UsePAM yes
PasswordAuthentication yes

RSAAuthentication yes

PubkeyAuthentication yes

UsePAM yes

PasswordAuthentication yes

Finally, if you want it to run as root when the system boots up, you should add the script in rc.local file.

Have fun 🙂

Footnotes

1. You can also download the full Bash Script from here. If running from any other directory that rc.local as a file, execution permissions will be required.

About
Latest

About Viktor Stankov

Technical Support Representative @ CloudSigma. He is interested in computers, new technologies and sports. Addicted to learning Linux and Scripting languages.

A CloudSigma Python Script to automate the conversion of a drive snapshot into a full drive - June 16, 2016
Automatically Inject SSH Keys into your Cloud Servers Using This Simple Bash Script - February 6, 2016

Our Metadata Framework – An Introduction

Bash Scripting1

Footnotes

About Viktor Stankov

Bash Scripting¹