SSH
SSH is currently in early preview. We'd love to hear from you. Contact us or open a GitHub issue if you'd like to share feedback.
Setup
This guide will walk you through installing the Infra connector on a Linux machine so that you can connect to it with ssh
.
Login and enable SSH
On your desktop, download the Infra CLI and log in to Infra. If you don't yet have an Infra organization signup here.
infra login <your org>.infrahq.com --enable-ssh
Create a connector access key
infra keys add --connector
You will use this access key later in this guide.
Install Infra
Install Infra on the Linux SSH host.
Set up the repository
curl -fsSL https://pkg.infrahq.com/apt/gpg.key | sudo gpg --dearmor -o /usr/share/keyrings/infra.gpg sudo echo "deb [signed-by=/usr/share/keyrings/infra.gpg] https://pkg.infrahq.com/apt * *" | sudo tee /etc/apt/sources.list.d/infra.list > /dev/null
Install Infra
sudo apt-get update sudo apt-get install infra
Setup and start the Infra connector
Next, on the Linux SSH host, create a configuration file with the access key you created earlier.
Set these environment variables to appropriate values:
export INFRA_ACCESS_KEY="<connector access key>" export DESTINATION_HOST="<public ip or hostname>" export DESTINATION_NAME=example
And create the connector configuration file using those variables:
cat << EOF | sudo tee /etc/infra/connector.yaml kind: ssh name: $DESTINATION_NAME endpointAddr: $DESTINATION_HOST server: accessKey: $INFRA_ACCESS_KEY EOF sudo chmod 600 /etc/infra/connector.yaml sudo chown infra:infra /etc/infra/connector.yaml
Currently, the name of the destination (example
in the configuration above) cannot contain dots, and therefore can not be the IP address of the SSH host. This is due to a limitation within Infra that should be addressed soon.
Configure sshd
to use Infra:
cat << EOF | sudo tee -a /etc/ssh/sshd_config Match group infra-users AuthorizedKeysFile none PasswordAuthentication no AuthorizedKeysCommand /usr/local/sbin/infra sshd auth-keys %u %f AuthorizedKeysCommandUser infra EOF
Finally, restart sshd
service and start infra
:
sudo systemctl restart sshd sudo systemctl restart infra sudo systemctl enable infra
Your SSH host should be ready to receive connections!
Connect
On your desktop machine, give yourself access:
infra grants add <your email> example
example
is the name of the destination from connector.yaml
above.
Granting access to groups is not currently supported. This is coming soon.
Use infra list
to see you have access through Infra.
Next, access the server:
ssh <destination ip address>
You should be automatically authenticated and logged in. See your username:
whoami
Access Control
SSH access control is binary: either a user has access, or they don't.
For example, to grant a user access to a server:
infra grants add suzie@infrahq.com example
To revoke access:
infra grants remove suzie@infrahq.com example
Customizing
Sudo access
Setup sudo
to allow your user access to other accounts on the machine.
USERNAME=suzie echo "$USERNAME ALL=(ALL) NOPASSWD:ALL" | sudo tee /etc/sudoers.d/$USERNAME
User provisioning
Infra creates users on the SSH host with useradd
. The default shell of the user, and other settings for useradd
can be customzied with /etc/defaults/useradd
. See the useradd
man page for more details.
When a user's access is removed the user and their home directory will be removed from the system with userdel
.