0

I want to add eight public keys via instance metadata to avoid adding them manually (i.e.: ssh to VMs, pasting the keys to .ssh/authorized_keys, etc.).
I added the keys in Terraform (four distinct keys for two users) using the metadata attribute of the google_compute_instance:

resource "google_compute_instance" "host" {
  count         = var.number_of_hosts

// vm details...


metadata = {
    "ssh-keys" = <<EOF
    user1:${file("${path.root}/key1.pub")}
    user1:${file("${path.root}/key2.pub")}
    user1:${file("${path.root}/key3.pub")}
    user1:${file("${path.root}/key4.pub")}
    user2:${file("${path.root}/key1.pub")}
    user2:${file("${path.root}/key2.pub")}
    user2:${file("${path.root}/key3.pub")}
    user2:${file("${path.root}/key4.pub")}
    EOF
  }

I ran terraform apply. I opened the GCP console and clicked on one of the deployed machines. In the "Details" tab, I can see all eight keys in the SSH Keys tab. Now, when I ssh from my local computer, i.e., ssh user2@EXTERNAL_IP (I deliberately started with user2, not user1 - not a typo) and then cat ~/.ssh/authorized_keys, I can only see the following:

user1 : key1
user2 : key4

Thus, I can't ssh to VM2 because the public part of the key pair that USER 2 has access to is not ~/.ssh/authorized_keys even though it is declared in the instance metadata.

On the other hand, when I do user1@EXTERNAL_IP and cat ~/.ssh/authorized_keys, I can see:

user1 : key1
user2 : key4
user1 : key1 (duplicate)

Since the private key that corresponds to user1 : key1 is there, I can ssh to VM2 successfully.

What baffles me:

  1. Why are not all keys declared in the instance metadata added to the authorized_keys?
  2. Why is there a difference in the content of the authorized_keys depending on the user?
  3. Where does the duplicate come from?

Edit - some additional information:

  1. the image used - ubuntu-minimal-2004-focal-v20230427
  2. ssh_config (only uncommented lines):
Include /etc/ssh/ssh_config.d/*.conf
Host *
SendEnv LANG LC_*
HashKnownHosts yes
GSSAPIAuthentication yes
  1. sshd_config (only uncommented lines):
Include /etc/ssh/sshd_config.d/*.conf
PasswordAuthentication no
ChallengeResponseAuthentication no
UsePAM yes
X11Forwarding yes
PrintMotd no
AcceptEnv LANG LC_*
Subsystem       sftp    /usr/lib/openssh/sftp-server
Martin Atkins
  • 2,299
  • 11
  • 10
SkogensKonung
  • 111
  • 2

0 Answers0