SSH configuration

SSH configuration#

When to use#

For remote operations, Bacularis uses OpenSSH binaries:

  • SSH is used to execute commands on remote hosts

  • SCP is used to copy files to remote hosts

In the Bacularis web interface, you can set up SSH configurations for a single host or a group of hosts (using wildcards). These configurations can be used during API host deployment for each SSH connection.

In the simplest scenarios, you do not need to create an SSH configuration via the web interface. SSH configurations are primarily useful for applying common connection options across multiple hosts. For example, if SSH is configured on a non-standard port like 1234, you can define this in the SSH configuration to reuse it for all relevant hosts.

Another use case for SSH configurations is when a group of hosts uses SSH key authentication and/or a common administrator username. These values can be stored in the SSH configuration. However, this is optional because these values can also be set manually during deployment.

Authentication#

There are three SSH authentication methods:

  • Using username and password

  • Using username and SSH key

  • Using username and SSH key from SSH configuration

The SSH key may be protected by a passphrase. If so, the Key passphrase field must be filled in.

For each authentication method, you can optionally enable sudo for all commands executed during deployment. This is especially useful when direct root login is disabled and administrative privileges must be obtained using sudo.

Security#

Bacularis does not store or remember any SSH passwords or key passphrases. Each time a user enters an SSH password or passphrase, it is used immediately and not saved. The expect program is used to supply passwords to SSH and SCP commands.

By default, newly deployed Bacularis API hosts have HTTPS enabled on their web server. Bacularis automatically generates a web server certificate for each new host. During the first access to the remote Bacularis API, the browser may mark the certificate as untrusted (because it is self-signed) and request confirmation. Despite this warning, the connection remains encrypted.

Certificates are internally generated using the openssl program.