如何防止GCE将ssh密钥复制到所有新实例? [英] How can I prevent GCE from copying ssh keys to all new instances?

问题描述

当我通过Cloud Console创建新的VM实例时，会自动为我在以前的实例上手动创建的用户创建homedir，然后将ssh-keys复制到各个homedir中的~/.ssh/authorized_keys中.

When I create a new VM instance via Cloud Console, homedirs are automatically created for users that I have created manually on previous instances, and ssh-keys are copied to ~/.ssh/authorized_keys in respective homedirs.

我不想要那个！恕我直言，这是一个严重的安全漏洞.

I don't want that! This is IMHO a serious security flaw.

我不想自动创建任何用户，我不想自动复制任何ssh密钥.
我该如何实现?

I don't want any users automatically created, I don't want any ssh keys automatically copied.
How can I achieve that?

推荐答案

您可以指定特定用户&通过设置实例级别 sshKeys元数据密钥来为实例使用的SSH密钥.您也可以使用gcutil的--authorized_ssh_keys选项从命令行执行此操作:

You can specify the specific users & SSH keys to use for an instance by setting the instance level sshKeys metadata key. You can also do this from the command line using gcutil's --authorized_ssh_keys option:

$ gcutil addinstance --authorized_ssh_keys=username1:/path/to/keyfile1,username2:/path/to/keyfile2,...

如果要确保没有实例获取完整的用户/密钥集，则可以删除sshKeys项目级元数据密钥.在控制台中，单击Compute Engine，然后单击Metadata，然后单击sshKeys键旁边的垃圾桶图标.然后，您将需要为每个实例指定密钥，否则您将无法登录. (这可能是您在全自动环境中想要的)

If you want to make sure that no instances get the full set of users/keys, you can remove the sshKeys project level metadata key. From the Console, click Compute Engine, then Metadata, then click the trash can icon next to the sshKeys key. You will then need to specify keys for each instance, or you will not be able to log in at all. (which may be what you want in a fully automated environment)

注意:运行gcutil ssh会生成一个密钥对(如果需要)，并将其添加到sshKeys密钥中.

Note: Running gcutil ssh will generate a key-pair (if needed) and add it to the sshKeys key.

这篇关于如何防止GCE将ssh密钥复制到所有新实例?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！