SSH configuration

When to use

For remote operations Bacularis works with OpenSSH binaries. They are:

  • SSH to execute commands on remote host

  • SCP to copy files to remote host

Apart from that on the Bacularis web interface you can setup SSH configuration for single host or for group of hosts (using wildcards). This configuration can be used during API host deployment for each SSH connection.

In the simplest scenario you do not need to create SSH configuration via the web interface. The SSH configuration is mainly to help to use common options for connecting different hosts. For example, if SSH is configured on non-standard SSH port 1234, then there is possible to set this information in SSH config to use it for each this type of host.

Another case where SSH configuration might be useful is when some part of hosts use the SSH key access and/or the same administrator username. These values can be saved in the SSH configuration too, however it isn’t obligatory because both the values can be also selected for deployment manually without creating the SSH configuration.

Authentication

There are three SSH authentication options:

  • using username and password

  • using username and SSH key

  • using username and SSH key from SSH configuration

The SSH key can be protected by passphrase or not. If it is protected, then the field Key passphrase needs to be filled.

For each of the authentication options there is possible to enable sudo for each executed command during deployment. It is specially useful when the root user access is disabled for log in and the only way to execute commands with administrator privilages is to do it with sudo.

Security

Bacularis does not store anywhere and does not remember any SSH password nor key passphrase. Every time when user types SSH password or key passphrase it is used on the fly without saving it anywhere. To type passwords in the SSH and SCP commands there is used expect program.

By default newly deployed Bacularis API hosts have the HTTPS connection enabled in the web server. Bacularis prepares automatically the web server certificate for each new host. During first user access to the remote Bacularis API The certificate can be displayed as untrusted (because it is self-signed) and the web browser will requires confirmation, but even so the connection is encrypted.

To generate certificates there is internally used the openssl program.