Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

SSH keys keep getting deleted from Google Compute Engine VM

Tags:

docker

ssh

google-compute-engine

Background:

  • I am running a Google Compute Engine VM, called host.
  • There is a Docker container running on the machine called container.
  • I connect to the VM using an account called [email protected].
  • I need to connect through ssh from the container to the host, without being prompted for the user password.

Problem:

Minutes after successfully connecting from the container to the host, the user/.ssh/authorized_keys gets "modified" by some process from Google itself. As far as I understood this process appends some ssh keys needed to connect to the VM. In my case though, the process seems to overwrite the key that I generated from the container.

Setup:

I connect to host using Google Compute Engine GUI, pressing on the SSH button.

ssh

Then I follow the steps described in this answer on AskUbuntu. I set the password for user on host:

user@host:~$ sudo passwd user

I set PasswordAuthentication to yes in sshd_config, and I restart sshd:

user@host:~$ sudo nano /etc/ssh/sshd_config
user@host:~$ sudo systemctl restart sshd

I enter in the Docker container using bash, I generate the key, and I copy it on the host:

user@host:~$ docker exec -it container /bin/bash
(base) root@container-id:# ssh-keygen
(base) root@container-id:# ssh-copy-id user@host

The key is successfully copied to the host, the host is added to the known_hosts file, and I am able to connect from the container to the host without being prompted for the password (as I gave it during the ssh-copy-id execution).

Now, if I detach from the host, let some time pass, and attach again, I find that the user/.ssh/authorized_keys file contains some keys generated by Google, but there is no trace of my key (the one that allows the container to connect to the host).

What puzzles me more than everything is that we consistently used this process before and we never had such problem. Some accounts on this same host have still keys from containers that no longer exist!

Does anyone has any idea about this behavior? Do you know about any solutions that let me keep the key for as long as it is needed?

like image 823
UJIN Avatar asked Nov 29 '18 16:11

UJIN

1 Answers

It looks like the accounts daemon is doing this task. You could refer this discussion thread for more details about this.

You might find the OS Login API a easier management option. Once enabled, you can use a single gcloud command or API call to add SSH keys.

like image 188
David Avatar answered Oct 02 '22 07:10

David
Sign in to Comment

Related questions

docker-compose network_mode: "host" doesn't seem to work
How to watch xvfb session that's inside a docker on remote server from my local browser?
How can I use the internal ip address of a container as an environment variable in Docker
Why is Internal memory in java Native Memory Tracking increasing
docker-compose fails at adding veth (virtual interface) to bridge docker0
Julia cluster using docker
Docker Compose Overriding
Docker build fails on COPY or ADD statement for entrypoint, Windows only
Docker: MySQL refuses host IP unless I restart it manually
Using SUID in Alpine Docker Image
Cannot connect to the Docker daemon at unix:///var/run/docker.sock. Is the docker daemon running
Login attempts to Nexus OSS Docker repo throwing 404
Dotnet core web api running inside docker fails to authenticate when consuming external WCF service
Env file is not read when I use docker-compose -f in a different directory
Error pushing docker hub using spotify/dockerfile-maven-plugin
Are there precautions that one should take when a Cassandra Docker container changes IP?
Docker on a linux VMware machine: error with apt-get and proxy
How to install tensorflow-1.2.1 in Docker which has alpine:3.7 as base image ? I am using python 3
How Do I Cache APT Packages In Bitbucket Pipelines?
How can one make a Docker Compose service build depend on another service?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!