SSH configuration#
When to use#
For remote operations, Bacularis uses OpenSSH binaries:
SSH is used to execute commands on remote hosts
SCP is used to copy files to remote hosts
In the Bacularis web interface, you can set up SSH configurations for a single host or a group of hosts (using wildcards). These configurations can be used during API host deployment for each SSH connection.
In the simplest scenarios, you do not need to create an SSH configuration via the web interface. SSH configurations are primarily useful for applying common connection options across multiple hosts. For example, if SSH is configured on a non-standard port like 1234, you can define this in the SSH configuration to reuse it for all relevant hosts.
Another use case for SSH configurations is when a group of hosts uses SSH key authentication and/or a common administrator username. These values can be stored in the SSH configuration. However, this is optional because these values can also be set manually during deployment.
Authentication#
There are three SSH authentication methods:
Using username and password
Using username and SSH key
Using username and SSH key from SSH configuration
The SSH key may be protected by a passphrase. If so, the Key passphrase
field must be filled in.
For each authentication method, you can optionally enable sudo
for all
commands executed during deployment. This is especially useful when direct
root
login is disabled and administrative privileges must be obtained
using sudo
.
Security#
Bacularis does not store or remember any SSH passwords or key passphrases.
Each time a user enters an SSH password or passphrase, it is used
immediately and not saved. The expect
program is used to supply
passwords to SSH and SCP commands.
By default, newly deployed Bacularis API hosts have HTTPS enabled on their web server. Bacularis automatically generates a web server certificate for each new host. During the first access to the remote Bacularis API, the browser may mark the certificate as untrusted (because it is self-signed) and request confirmation. Despite this warning, the connection remains encrypted.
Certificates are internally generated using the openssl
program.