Overview

In the last couple of weeks, few customers asked me about using compute instance metadata to update SSH keys for user authentication. I knew Oracle Cloud Infrastructure supported that. However, there is no blog that talks about the step-by-step process to make it work. There we go. I found the topic for my next blog. "Using AuthorizedKeysCommand on OCI Compute."

First of all, thanks for your overwhelming support. The number of unique views on my blogs increased by more than 100% in the last about 3 months. I hope you are all doing well.

The problem

In an on-premise world, compute instances (SSH) are not accessible on the internet. So customers used password authentication against their enterprise directory. However, the same is possible (over VPN) with the cloud; it is not a good practice. In the cloud, everyone wants to implement cert authentication.

The question is, how do you provision those certificates to compute instances. It is not practical to manually logon to the compute and add certificates of every user that has access to the compute instance. It can delay both provisioning and de-provisioning user access to compute instances. The AuthorizedKeysCommand configuration from SSH can help you fix the problem.

One of the ways to implement this is, uploading allowed keys to instance metadata and iterate through the keys from instance metadata on the fly using a script. When a user tries to SSH login to compute instance, SSHD can invoke a script to fetch the keys on the fly.

OCI supports instance metadata for a couple of years now. More information about instance metadata is available below.

• OCI documentation on instance metadata
• Product Management team blog about instance metadata

Implementation

Upload allowed public keys to instance metadata

I use Oracle Cloud Infrastructure CLI to upload the key to the compute instance. Ideally, corporate IDM solution stores the keys, and the key creation/provisioning is part of some user enrollment process where the user gets a private key and the public key.

Create a sshkeys.json file with the list of keys.

{
"authorized_keys": [
"ssh-rsa AAAAAXXXXXXXXXX USERNAME"
"ssh-rsa AAAAAXXXXXXBBBB USERNAME"
	]
}

$ oci --profile=PROFILENAME compute instance update --instance-id ocid1.instance.oc1.XXXXXXXX --extended-metadata file://sshkeys.json

WARNING: Updates to defined-tags and freeform-tags and agent-config and metadata and extended-metadata will replace any existing values. Are you sure you want to continue? [y/N]: y

Write a script to iterate through the keys

The next step is to write a script to iterate through extended-metadata and return public keys. I chose to do that in python.

#!/usr/bin/python3
# coding: utf-8
# Copyright (c) 2016, 2020, Oracle and/or its affiliates. All rights reserved.

import requests
import json
# Refer to Oracle documentation for $OCI_COMPUTE_INSTANCE_CUSTOM_METADATA value
url = '$OCI_COMPUTE_INSTANCE_CUSTOM_METADATA/authorized_keys' 
response = requests.get(url)
keysResponse = ""
jsonResponse = json.loads(response.content)
i=0
for key in jsonResponse:
        if i != 0:
                keysResponse += "\n" + key
        else:
                i += 1
                keysResponse += key

Configuration

The last step is to configure sshd to invoke the script when a user tries to do SSH login. Update the sshd_config file and add the below configuration. You can find more information about the sshd_config file here.

AuthorizedKeysCommand /root/updateAuthorizedKeys.py
AuthorizedKeysCommandUser root

Conclusion

As I mentioned before, a good use case is to store the public keys in your IDM or any other preferred solution, fetch it using the script on the fly so that SSH can validate against the user's public keys.