SSH configuration#
When to use#
For remote operations Bacularis works with OpenSSH binaries. They are:
SSH to execute commands on remote host
SCP to copy files to remote host
Apart from that on the Bacularis web interface you can setup SSH configuration for single host or for group of hosts (using wildcards). This configuration can be used during API host deployment for each SSH connection.
In the simplest scenario you do not need to create SSH configuration via the web interface. The SSH configuration is mainly to help to use common options for connecting different hosts. For example, if SSH is configured on non-standard SSH port 1234, then there is possible to set this information in SSH config to use it for each this type of host.
Another case where SSH configuration might be useful is when some part of hosts use the SSH key access and/or the same administrator username. These values can be saved in the SSH configuration too, however it isn’t obligatory because both the values can be also selected for deployment manually without creating the SSH configuration.
Authentication#
There are three SSH authentication options:
using username and password
using username and SSH key
using username and SSH key from SSH configuration
The SSH key can be protected by passphrase or not. If it is protected, then
the field Key passphrase
needs to be filled.
For each of the authentication options there is possible to enable sudo
for each executed command during deployment. It is specially useful when the
root
user access is disabled for log in and the only way to execute commands
with administrator privilages is to do it with sudo
.
Security#
Bacularis does not store anywhere and does not remember any SSH password nor
key passphrase. Every time when user types SSH password or key passphrase it is used
on the fly without saving it anywhere. To type passwords in the SSH and SCP commands
there is used expect
program.
By default newly deployed Bacularis API hosts have the HTTPS connection enabled in the web server. Bacularis prepares automatically the web server certificate for each new host. During first user access to the remote Bacularis API The certificate can be displayed as untrusted (because it is self-signed) and the web browser will requires confirmation, but even so the connection is encrypted.
To generate certificates there is internally used the openssl
program.