From b401663358315582d7f9fe922859eba3caee29b2 Mon Sep 17 00:00:00 2001 From: Fernando Antivero Date: Fri, 13 Sep 2024 16:13:46 -0300 Subject: [PATCH 1/4] remove sesentive identifiers --- jumpBoxCloudInit.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/jumpBoxCloudInit.yml b/jumpBoxCloudInit.yml index 22fbea41..2593b4de 100644 --- a/jumpBoxCloudInit.yml +++ b/jumpBoxCloudInit.yml @@ -5,9 +5,9 @@ users: sudo: False lock_passwd: True ssh-authorized-keys: - - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC0dQuUR0xhsjBbm3otMMIR88hELkXkxjxOCxQ4iKa9CqOoDYUCl20QY+OtpCnviD6/UYPqzee/EzI/L3cYRZulw9kMeYGME4t5c3iDahU+czZDPnd0hvSQvK5havgAr5120Cg6sTRnK10G3kyEz8pMSwSp9CXAOF3l1kRHENpO2jxp3BomRIQl5/HHrIJUXHVgfZ3yVy3oSymaTiCa8FWq/gtE0HWxonmENROdGHVerccotH0T26x4NGTeXrSTt3Xn7GUF2J851CgK+1kl8/P7Pe5Zm2bqNQXEbiZWni+3TtHjaA3rEU/aFuEEVrpeRXjm3GRGgo1cAneIh9eR4azmLPQZeSXKdkTE+cZebtnpUL+hs1V78cDfmycyeCtRZ1lr3gml780/qmcrpyCIAgOIaw1NwlQUAtrVvzvpkYzPdmsQAJpUo1LRs5c0rXWmXDJ2Z56W9l1rfF4WIPd7KR+CT6V+blhPuYnZp/514dFQPJVYim6RYQf++z4HSTnGJFaTc+5GsMh//d1oxf1c05aOZlmk3fWLWbqxhNdOf+aulCYtDyuSrOhOQNZvX+Gnss4IsfrulvuiRHM7zpxjurE48XELRMEj2ZUwL004+xc/y8nkH5RfS5uwshVrhgbl40kURfrFig1F3q/lI+jMICLDkHfrqpC9ylir24+KL96/NQ== + - - name: opsuser02 sudo: False lock_passwd: True ssh-authorized-keys: - - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDLdYkQZqs+RqQwirjOUMKT0aVJxnjOy9nmFnac7/oKhMsMmxaHk66CUeLBGViF9tyPqqP6PgojOOWLkOyfk+Zt91u7vg2xtyogwtNpr1wxMP2p9mWG/kQnYZMk8QjhWlj0oSiLdnVqLj4wqdja7I0NtimaUMquOf2uWSmLMgeWsMjg+jq4O82j6inONkMXEZLRU5Yd+QIW5heXRpT4hFR6HQR46mI/8GXXM8uHpGPrFIeaahD3ECkET17TGbwJ+QxNWRVnFujGqYH9qDl8NNsQwGUltrfwqRMp3n4oy1WCDMyXDpMMCHRJqRZCTMgIUo0Yw6E++ZhQ85sbQSRnmrMeJwL5AaA77zEt83ETBMg9j5OQUbOxpf8ySxd3APRNQKfXdLtheUkR2dBlpE3f5dfvUSAjgJiChFDIKd617vdwUXOat9AMGDMOl/8XWMb2uGgo8OQdNPW/J2scgn8/EeZMcAAEyZdEPOBODGb/xgWDFBACYAtP/GOsx628aaO5H4KheYKsdPtIorOKjg/pgAhUXTS3He6YlXwrVYR8QpHSxoG2osYFcW5/bPE3QaHLQ90XKKkN8xeS1/Qh6+3O+NIHisMMSXumEadESiL7bA0YlSqoHbPoRh0/38i8iLtTllfGyqgArwT6iiQzqkoefCbiN6OrPeVe4y4AXZREux1AXQ== \ No newline at end of file + - \ No newline at end of file From 98878d4a0fd7b7c602e2d09b4fe64307fdaf8bf9 Mon Sep 17 00:00:00 2001 From: Fernando Antivero Date: Fri, 13 Sep 2024 16:46:04 -0300 Subject: [PATCH 2/4] modify steps to generate a valid cloud init file --- docs/deploy/07-aks-jumpbox-users.md | 38 ++++++++++++++++++++--------- 1 file changed, 27 insertions(+), 11 deletions(-) diff --git a/docs/deploy/07-aks-jumpbox-users.md b/docs/deploy/07-aks-jumpbox-users.md index 0f01b969..f90d7875 100644 --- a/docs/deploy/07-aks-jumpbox-users.md +++ b/docs/deploy/07-aks-jumpbox-users.md @@ -15,26 +15,42 @@ Following these steps, you'll end up with an SSH public-key-based solution that ## Steps 1. Open `jumpBoxCloudInit.yml` in your preferred editor. -1. Add/remove/modify users following the two examples in that file. You need **one** user defined in this file to complete this walk through (*more than one user is fine*, but not necessary). 🛑 +1. Inspect the two users examples in that file. You need **one** user defined in this file to complete this walk through (*more than one user is fine*, but not necessary). 🛑 1. `name:` set to whatever you login account name you wish. (You'll need to remember this later.) 1. `sudo:` - Suggested to leave at `False`. This means the user cannot `sudo`. If this user needs sudo access, use [sudo rule strings](https://cloudinit.readthedocs.io/en/latest/topics/examples.html?highlight=sudo#including-users-and-groups) to restrict what sudo access is allowed. 1. `lock_passwd:` - Leave at `True`. This disables password login, and as such the user can only connect via an SSH authorized key. Your jump box should enforce this as well on its SSH daemon. If you deployed using the image builder in the prior step, it does this enforcement there as well. - 1. In `ssh-authorized-keys` replace the example public key for the user. This must be an RSA key of at least 2048 bits and **must be secured with a passphrase**. This key will be added to that user's `~/.ssh/authorized_keys` file on the jump box via the cloud-init bootstrap process. If you need to generate a key pair you can execute this command: + 1. In `ssh-authorized-keys` replace the `` placeholder with an actual public ssh public key for the user. This must be an RSA key of at least 2048 bits and **must be secured with a passphrase**. This key will be added to that user's `~/.ssh/authorized_keys` file on the jump box via the cloud-init bootstrap process. - ```bash - ssh-keygen -t rsa -b 4096 -f opsuser01.key - cat opsuser01.key.pub - ``` +1. Generate a key pair for this walk through - **Enter a passphrase when requested** (*do not leave empty*) and note where the public and private key file was saved. The *public* key file *contents* (`opsuser01.key.pub` in the example above) is what is added to the `ssh-authorized-keys` array in `jumpBoxCloudInit.yml`. You'll need the username, the private key file (`opsuser01.key`), and passphrase later in this walkthrough. + ```bash + ssh-keygen -t rsa -b 4096 -f opsuser01.key + ``` + + **Enter a passphrase when requested** (*do not leave empty*) and note where the public and private key file was saved. The *public* key file *contents* (`opsuser01.key.pub` in the example above) is what is added to the `ssh-authorized-keys` array in `jumpBoxCloudInit.yml`. You'll need the username, the private key file (`opsuser01.key`), and passphrase later in this walkthrough. + + > On Windows, as an alternative to Bash in WSL, you can use a solution like PuTTYGen found in the [PuTTY installer](https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html). + > + > Azure also has an SSH Public Key resources type that allows you to [generate SSH keys](https://learn.microsoft.com/azure/virtual-machines/ssh-keys-portal) and keep public keys available as a managed resource. + +1. Manually add/remove/modify users following the information from the previous steps or simply execute the following command to overwrite the `jumpBoxCloudInit.yml` file with a valid user example + + ```bash + cat < jumpBoxCloudInit.yml - + #cloud-config + users: + - default + - name: opsuser01 + sudo: False + lock_passwd: True + ssh-authorized-keys: + - $(cat opsuser01.key.pub) + EOF + ``` - > On Windows, as an alternative to Bash in WSL, you can use a solution like PuTTYGen found in the [PuTTY installer](https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html). - > - > Azure also has an SSH Public Key resources type that allows you to [generate SSH keys](https://learn.microsoft.com/azure/virtual-machines/ssh-keys-portal) and keep public keys available as a managed resource. 1. *Optional 🛑.* Remove the `- default` line to remove the default admin user from the jump box. If you leave the `- default` line in the file, then the default admin user (defined in the cluster's ARM template as pseudo-random name to discourage usage) will also exist on this jump box. We do not provide any instructions on setting up this default user to be a valid user you can access, and as such you might wish to simply remove it from the jump box. That user has unrestricted sudo access, by default. Unfortunately, you cannot directly deploy the jump box infrastructure with this user removed, so removing it via cloud-init is a common resolution -- by not including `- default` in this file. -1. Save the `jumpBoxCloudInit.yml` file. You *cannot* use the provided example keys in this file as you do not have the private key to go with them, **you must update this file following the instructions above or you will not be able to complete this walkthrough.** 1. You can commit this file change if you wish, as the only values in here are public keys, which are not secrets. **Never commit any private SSH keys.** ### Next step From a527c2beec974af810eb04b51dbdeec5d579830d Mon Sep 17 00:00:00 2001 From: Fernando Antivero Date: Tue, 17 Sep 2024 14:51:29 -0300 Subject: [PATCH 3/4] Address PR Feedback: improve steps wording Co-authored-by: John Downs --- docs/deploy/07-aks-jumpbox-users.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/deploy/07-aks-jumpbox-users.md b/docs/deploy/07-aks-jumpbox-users.md index f90d7875..82fdf6da 100644 --- a/docs/deploy/07-aks-jumpbox-users.md +++ b/docs/deploy/07-aks-jumpbox-users.md @@ -21,19 +21,19 @@ Following these steps, you'll end up with an SSH public-key-based solution that 1. `lock_passwd:` - Leave at `True`. This disables password login, and as such the user can only connect via an SSH authorized key. Your jump box should enforce this as well on its SSH daemon. If you deployed using the image builder in the prior step, it does this enforcement there as well. 1. In `ssh-authorized-keys` replace the `` placeholder with an actual public ssh public key for the user. This must be an RSA key of at least 2048 bits and **must be secured with a passphrase**. This key will be added to that user's `~/.ssh/authorized_keys` file on the jump box via the cloud-init bootstrap process. -1. Generate a key pair for this walk through +1. Generate an SSH key pair to use in this walkthrough. ```bash ssh-keygen -t rsa -b 4096 -f opsuser01.key ``` - **Enter a passphrase when requested** (*do not leave empty*) and note where the public and private key file was saved. The *public* key file *contents* (`opsuser01.key.pub` in the example above) is what is added to the `ssh-authorized-keys` array in `jumpBoxCloudInit.yml`. You'll need the username, the private key file (`opsuser01.key`), and passphrase later in this walkthrough. + **Enter a passphrase when requested** (*do not leave empty*) and note where the public and private key file was saved. The *public* key file *contents* (`opsuser01.key.pub` in the example above) will be used in the `jumpBoxCloudInit.yml` file. You'll need the username, the private key file (`opsuser01.key`), and passphrase later in this walkthrough. > On Windows, as an alternative to Bash in WSL, you can use a solution like PuTTYGen found in the [PuTTY installer](https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html). > > Azure also has an SSH Public Key resources type that allows you to [generate SSH keys](https://learn.microsoft.com/azure/virtual-machines/ssh-keys-portal) and keep public keys available as a managed resource. -1. Manually add/remove/modify users following the information from the previous steps or simply execute the following command to overwrite the `jumpBoxCloudInit.yml` file with a valid user example +1. Run the following command to overwrite the `jumpBoxCloudInit.yml` file with a new user configuration that uses the SSH key you generated: ```bash cat < jumpBoxCloudInit.yml - From 6695961718093e36d2bbfe5edb95d519d5bc174d Mon Sep 17 00:00:00 2001 From: Fernando Antivero Date: Wed, 30 Oct 2024 11:38:19 -0300 Subject: [PATCH 4/4] Address PR Feedback: create note for alternative modification path --- docs/deploy/07-aks-jumpbox-users.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docs/deploy/07-aks-jumpbox-users.md b/docs/deploy/07-aks-jumpbox-users.md index 82fdf6da..39cbf119 100644 --- a/docs/deploy/07-aks-jumpbox-users.md +++ b/docs/deploy/07-aks-jumpbox-users.md @@ -48,6 +48,8 @@ Following these steps, you'll end up with an SSH public-key-based solution that EOF ``` + > Alternatively, you can manually modify the existing `jumpBoxCloudInit.yml` file to add/remove users and ssh authorized keys. + 1. *Optional 🛑.* Remove the `- default` line to remove the default admin user from the jump box. If you leave the `- default` line in the file, then the default admin user (defined in the cluster's ARM template as pseudo-random name to discourage usage) will also exist on this jump box. We do not provide any instructions on setting up this default user to be a valid user you can access, and as such you might wish to simply remove it from the jump box. That user has unrestricted sudo access, by default. Unfortunately, you cannot directly deploy the jump box infrastructure with this user removed, so removing it via cloud-init is a common resolution -- by not including `- default` in this file.